diff --git a/.css/squert.css b/.css/squert.css index 7f6f5b4..933d418 100644 --- a/.css/squert.css +++ b/.css/squert.css @@ -776,6 +776,11 @@ color:#4D5580; td.sub2_inactive { text-decoration:line-through; } +td.sub2_capme { +text-decoration:underline; +cursor:pointer; +color:#4D5580; +} td.sub_txt { width:900px; background: #f4f4f4; diff --git a/.gitignore b/.gitignore index b9f3c68..24dcae6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ +.bzr .htaccess +.pc .scripts/*.md5 .inc/config.php .scripts/cliscript.tcl diff --git a/.inc/callback.php b/.inc/callback.php index 1fa24f9..79915dc 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -9,10 +9,18 @@ $base = dirname(__FILE__); include_once "$base/config.php"; include_once "$base/functions.php"; - -$link = mysql_connect($dbHost,$dbUser,$dbPass); -$db = mysql_select_db($dbName,$link); - +// PDO prepared statements +try { + // first connect to database with the PDO object. + $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, + PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); +} catch(PDOException $e){ + // if connection fails, log PDO error. + error_log("Error connecting to mysql: ". $e->getMessage()); +} $type = $_REQUEST['type']; $types = array( @@ -46,7 +54,7 @@ if (isset($_REQUEST['ts'])) { // Need EC - $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); + $tsParts = explode("|", hextostr($_REQUEST['ts'])); $sdate = $tsParts[0]; $edate = $tsParts[1]; $stime = $tsParts[2]; @@ -55,21 +63,125 @@ $start = "CONVERT_TZ('$sdate $stime','$offset','+00:00')"; $end = "CONVERT_TZ('$edate $etime','$offset','+00:00')"; $when = "event.timestamp BETWEEN $start AND $end"; + // combine start date and start time for prepared statements + $sdatetime = "$sdate $stime"; + // combine end date and end time for prepared statements + $edatetime = "$edate $etime"; } +// user can specify sensors +$sensors = ''; +$sensorsclean = ''; +$in = ''; +$sensor_params = array(); if (isset($_REQUEST['sensors'])) { $sensors = hextostr($_REQUEST['sensors']); if ($sensors == 'empty') { $sensors = ''; + } else { + // $sensors looks like this: + // AND event.sid IN('3','1') + // let's clean that up so we can use prepared statements + $sensorsclean = ltrim($sensors, 'AND event.sid IN('); + $sensorsclean = rtrim($sensorsclean, ')'); + $sensorsclean = str_replace("'","", $sensorsclean); + // now we need to dynamically build IN for prepared statement based on: + // https://phpdelusions.net/pdo#like + $ids = explode(",", $sensorsclean); + foreach ($ids as $i => $item) + { + $key = ":id".$i; + $in .= "$key,"; + $sensor_params[$key] = $item; // collecting values into key-value array + } + $in = rtrim($in,","); // :id0,:id1,:id2 + $sensors = "AND event.sid IN($in)"; } } -if (isset($_REQUEST['rt'])) { - $rt = $_REQUEST['rt']; - if ($rt == 1) { - $rt = "AND event.status = 0"; +// rt is the queue-only toggle on the left side of the EVENTS tab +$rt = ""; +if (isset($_REQUEST['rt']) && $_REQUEST['rt'] == 1) { + $rt = "AND event.status = 0"; +} + +// $sv is for sorting. For example: DESC +// this cannot be done via prepared statement, so we use a whitelist approach +$sv = ""; +if (isset($_REQUEST['sv'])) { + $sv = $_REQUEST['sv'] == 'DESC' ? 'DESC' : 'ASC'; +} + +// many functions below rely on filters so let's build that out now +if (isset($_REQUEST['filter'])) { + $filter = hextostr($_REQUEST['filter']); + // $filter comes from the filter box in the upper right corner of the EVENTS tab. Default: empty + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { + // user entered cmt into the filter box + // pull their filter out and place it into the prepared statement array + $comment = explode('cmt ', $filter); + $filtercmt = $comment[1]; + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid + WHERE history.comment = :filtercmt"; + // build parameters for prepared statement + $qp2_params = [":filtercmt" => "$filtercmt"]; + } else { + // if the user didn't enter cmt, then they may be using one of the built-in filters + // for example, if the user wants to search for alerts with src or dst ip in US: + // cc us + // we'll then receive the following: + // (msrc.cc = 'us' OR mdst.cc = 'us') + // the general strategy is to try to match this with one of the built-in filters to ensure validity + // then build a prepared statement + // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); + // build parameters for prepared statement + $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + // find whatever is enclosed in single ticks and replace with $ + $exploded=explode("'",$filter); + $filtervar=$exploded[1]; + $compfilter = str_replace($filtervar, '$', $filter); + // retrieve all valid filters from database + $statement="SELECT UNHEX(filter) from filters where type='filter';"; + $query = $dbpdo->prepare("$statement"); + $query->execute(); + $rows = $query->fetchAll(PDO::FETCH_BOTH); + // search for user filter in list of valid filters + $newfilter = ""; + $filter = ""; + // "signature LIKE" is a special case + if ( "$compfilter" == "(signature LIKE '$' OR signature LIKE '$')" ) { + $filter = "AND (signature LIKE :filtervar1 OR signature LIKE :filtervar2)"; + $qp2_params[":filtervar1"] = "%$filtervar%"; + $qp2_params[":filtervar2"] = "%$filtervar%"; + } else { + foreach ($rows as $row) { + if ( "$compfilter" == "$row[0]" ) { + $newfilter = $row[0]; + $i=0; + while (strpos($newfilter, "'\$'") !== false) { + $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); + $qp2_params[":filtervar$i"] = $filtervar; + $i++; + } + $filter = "AND " . $newfilter; + } + } + } + $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $filter + $rt"; + } } else { - $rt = ""; + // filter box was empty so we'll just build a prepared statement using sensors and rt values + $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $rt"; + // build parameters for prepared statement + $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; } } @@ -78,23 +190,26 @@ } function ec() { - - global $when, $sensors; - - $query = "SELECT COUNT(status) AS count, status - FROM event - LEFT JOIN sensor AS s ON event.sid = s.sid - WHERE $when - $sensors - GROUP BY status"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // This function returns event count grouped by status. + // This is used to populate the numbers in the Classification section on the left side of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; + + // build statement + $statement = "SELECT COUNT(status) AS count, status FROM event LEFT JOIN sensor AS s ON event.sid = s.sid + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + GROUP BY status;"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + // execute the prepared statement and pass it the local params array and the sensor_params array + $query->execute(array_merge($params,$sensor_params)); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } @@ -113,100 +228,78 @@ function urlMkr($line) { $wasMatched = 0; $dirs = explode("||",$rulePath); - if ( $gID > 100 ) { - $dc = 0; - $wasMatched = 2; + if ( $gID == 10001 ) { + $result = array("ruletxt" => "Generator ID $gID. OSSEC rules can be found in /var/ossec/rules/.", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); + } elseif ( $gID != 1 && $gID != 3 ) { + $result = array("ruletxt" => "Generator ID $gID. This event belongs to a preprocessor or decoder.", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); } else { - $dc = (count($dirs) - 1); - } - - for ($i = 0; $i <= $dc; $i++) - if ($ruleDir = opendir($dirs[$i])) { - while (false !== ($ruleFile = readdir($ruleDir))) { - if ($ruleFile != "." && $ruleFile != "..") { - $ruleLines = file("$dirs[$i]/$ruleFile"); - $lineNumber = 1; - - foreach($ruleLines as $line) { - - $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); - - if($searchCount > 0) { - $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); - - $line = urlMkr(htmlspecialchars($line)); - - $result = array("ruletxt" => $line, - "rulefile" => $ruleFile, - "ruleline" => $lineNumber, - ); - $wasMatched = 1; - break; - } - $lineNumber++; - } - } - } - - closedir($ruleDir); - } - - if ($wasMatched == 0) { - $result = array("ruletxt" => "No match for signature ID $sigID", - "rulefile" => "n/a", - "ruleline" => "n/a", - ); - } - - if ($wasMatched == 2) { - $result = array("ruletxt" => "Generator ID > 100. This event belongs to a preprocessor or the decoder. Generator ID: $gID ", - "rulefile" => "n/a", - "ruleline" => "n/a", - ); + $dc = (count($dirs) - 1); + for ($i = 0; $i <= $dc; $i++) + if ($ruleDir = opendir($dirs[$i])) { + while (false !== ($ruleFile = readdir($ruleDir))) { + if ($ruleFile != "." && $ruleFile != "..") { + $ruleLines = file("$dirs[$i]/$ruleFile"); + $lineNumber = 1; + + foreach($ruleLines as $line) { + + $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); + + if($searchCount > 0) { + $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); + + $line = urlMkr(htmlspecialchars($line)); + + $result = array("ruletxt" => $line, + "rulefile" => $ruleFile, + "ruleline" => $lineNumber, + ); + $wasMatched = 1; + break; + } + $lineNumber++; + } + } + } + + closedir($ruleDir); + } + + if ($wasMatched == 0) { + $result = array("ruletxt" => "No match for signature ID $sigID", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); + } } $theJSON = json_encode($result); echo $theJSON; - } function level0() { - global $offset, $when, $sensors, $rt; - $sv = mysql_real_escape_string($_REQUEST['sv']); - $filter = hextostr($_REQUEST['filter']); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = mysql_real_escape_string(explode('cmt ', $filter)); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - // this needs to be fixed - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - $rt"; - } - - $query = "SELECT COUNT(event.signature) AS f1, + // This function returns the aggegrated event data in the main section of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // build statement + $statement="SELECT COUNT(event.signature) AS f1, event.signature AS f2, event.signature_id AS f3, event.signature_gen AS f4, - MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS f5, + MAX(CONVERT_TZ(event.timestamp,'+00:00',:maxoffset)) AS f5, COUNT(DISTINCT(event.src_ip)) AS f6, COUNT(DISTINCT(event.dst_ip)) AS f7, event.ip_proto AS f8, GROUP_CONCAT(DISTINCT(event.status)) AS f9, GROUP_CONCAT(DISTINCT(event.sid)) AS f10, GROUP_CONCAT(event.status) AS f11, - GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, + GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset),12,2)) AS f12, event.priority AS f13, GROUP_CONCAT(DISTINCT(src_tag.value)) AS f14, GROUP_CONCAT(DISTINCT(dst_tag.value)) AS f15 @@ -218,51 +311,41 @@ function level0() { $qp2 GROUP BY f3 ORDER BY f5 $sv"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; + // add params for local part of statement + $local_params[':maxoffset'] = "$offset"; + $local_params[':groupoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - AND event.signature_id = '$sid' - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - AND event.signature_id = '$sid' - $rt"; - } - - // LEVEL 1 - $query = "SELECT COUNT(event.signature) AS count, - MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS maxTime, + // This function is called when the user clicks a number in the Queue column to drill into a group of aggregated events. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // sid is signature_id (snort/suricata ID, OSSEC rule ID, etc.) + $sid = $_REQUEST['object']; + // add sid to $qp2 and $qp2_params + $qp2 = "$qp2 + AND event.signature_id = :sid"; + $qp2_params[':sid'] = "$sid"; + // build statement + $statement = "SELECT COUNT(event.signature) AS count, + MAX(CONVERT_TZ(event.timestamp,'+00:00', :maxoffset)) AS maxTime, INET_NTOA(event.src_ip) AS src_ip, msrc.c_long AS src_cc, INET_NTOA(event.dst_ip) AS dst_ip, @@ -274,8 +357,8 @@ function level1() { GROUP_CONCAT(event.sid) AS c_sid, GROUP_CONCAT(event.cid) AS c_cid, GROUP_CONCAT(event.status) AS c_status, - GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5)) AS c_ts, - GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, + GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00', :groupoffset1),12,5)) AS c_ts, + GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset2),12,2)) AS f12, event.priority AS f13, msrc.age AS src_age, mdst.age AS dst_age, @@ -291,58 +374,50 @@ function level1() { $qp2 GROUP BY event.src_ip, event.dst_ip ORDER BY maxTime $sv"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; + // add params for local part of statement + $local_params[':maxoffset'] = "$offset"; + $local_params[':groupoffset1'] = "$offset"; + $local_params[':groupoffset2'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$iprepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - $rt"; - } - - $query = "SELECT event.status AS f1, - CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, + // This function is called when grouping is turned off. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + // build statement + $statement = "SELECT event.status AS f1, + CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, INET_NTOA(event.src_ip) AS f3, event.src_port AS f4, msrc.c_long AS f5, @@ -430,30 +493,43 @@ function level2a() { $qp2 GROUP BY event.sid, event.cid ORDER BY event.timestamp $sv"; - - $result = mysql_query($query); - $rows = array(); - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; + // add params for local part of statement + $local_params[':concatoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$iprepare("$statement"); + // build parameters for prepared statement + $params = [":offset" => "$offset", ":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); $rows = array(); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; - $ipp = $row["ip_proto"]; + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } + $ipp = $row[0]["ip_proto"]; // Protocol switch ($ipp) { case 1: - $query = "SELECT event.icmp_type AS icmp_type, + $statement = "SELECT event.icmp_type AS icmp_type, event.icmp_code AS icmp_code, icmphdr.icmp_csum AS icmp_csum, icmphdr.icmp_id AS icmp_id, @@ -483,54 +566,80 @@ function payload() { FROM event, icmphdr WHERE event.sid=icmphdr.sid AND event.cid=icmphdr.cid - AND event.sid='$sid' - AND event.cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + AND event.sid=:sid + AND event.cid=:cid"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; case 6: - $query = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum + $statement = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum FROM tcphdr - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; case 17: - $query = "SELECT udp_len, udp_csum + $statement = "SELECT udp_len, udp_csum FROM udphdr - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; default: $result = array(0 => 0); $rows[] = $row; break; } - // Data - $query = "SELECT data_payload + $statement = "SELECT data_payload FROM data - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data and encode to json + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + // Add the row again for Bro agent + $rows[] = $row[0]; + } $theJSON = json_encode($rows); echo $theJSON; - } function tab() { @@ -539,92 +648,42 @@ function tab() { } function transcript() { - - global $offset; - $txdata = hextostr($_REQUEST['txdata']); - $usr = $_SESSION['sUser']; - $pwd = $_SESSION['sPass']; - list($sid, $timestamp, $sip, $spt, $dip, $dpt) = explode("|", $txdata); - $sqlsid = mysql_real_escape_string($sid); - // Lookup sensorname - $query = "SELECT hostname FROM sensor - WHERE sid = '$sqlsid'"; - - $qResult = mysql_query($query); - - $sensorName = mysql_result($qResult, 0); - $cmdsid = escapeshellarg($sid); - $cmdsip = escapeshellarg($sip); - $cmddip = escapeshellarg($dip); - $cmdspt = escapeshellarg($spt); - $cmddpt = escapeshellarg($dpt); - - $cmd = "../.scripts/cliscript.tcl \"$usr\" \"$sensorName\" \"$timestamp\" $cmdsid $cmdsip $cmddip $cmdspt $cmddpt"; - $descspec = array( - 0 => array("pipe", "r"), - 1 => array("pipe", "w"), - 2 => array("pipe", "w") - ); - - $proc = proc_open($cmd, $descspec, $pipes); - $debug = "Process execution failed"; - $_raw = $fmtd = ""; - if (is_resource($proc)) { - fwrite($pipes[0], $pwd); - fclose($pipes[0]); - $_raw = stream_get_contents($pipes[1]); - fclose($pipes[1]); - $debug = fgets($pipes[2]); - fclose($pipes[2]); - } - - $raw = explode("\n", $_raw); - foreach ($raw as $line) { - - $line = htmlspecialchars($line); - $type = substr($line, 0,3); - - switch ($type) { - case "DEB": $debug .= preg_replace('/^DEBUG:.*$/', "$0", $line) . "
"; $line = ''; break; - case "HDR": $line = preg_replace('/(^HDR:)(.*$)/', "$2", $line); break; - case "DST": $line = preg_replace('/^DST:.*$/', "$0", $line); break; - case "SRC": $line = preg_replace('/^SRC:.*$/', "$0", $line); break; - default: $line = ""; break; - } - - if (strlen($line) > 0) { - $fmtd .= $line . "
"; - } - } - - if (strlen($fmtd) > 0) { - $fmtd .= "
" . $debug; - } - - $result = array("tx" => "$fmtd", - "dbg" => "$_raw", - "cmd" => "$cmd"); - - $theJSON = json_encode($result); - echo $theJSON; + # We no longer use Squert's native transcript functionality. + # Squert now pivots to CapMe for transcripts. } function filters() { + // This function queries and updates the filters table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; - $mode = mysql_real_escape_string($_REQUEST['mode']); + $mode = $_REQUEST['mode']; switch ($mode) { case "query" : - $query = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username + $statement = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username FROM filters ORDER BY global,name ASC"; - $result = mysql_query($query); - $rows = array(); - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement with params + $query->execute(); + # iterate through each row of the filter table + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know + $value = htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); + } + # must unset $value per http://php.net/manual/en/control-structures.foreach.php + unset($value); + # now add the sanitized row to the $rows array + $rows[] = $row; } $theJSON = json_encode($rows); @@ -641,23 +700,50 @@ function filters() { $filter = str_ireplace($remove, "", $filter); $filter = strtohex($filter); - $query = "INSERT INTO filters (type,name,alias,username,filter,notes) - VALUES ('$type','$name','$alias','$user','$filter','$notes') + $statement = "INSERT INTO filters (type,name,alias,username,filter,notes) + VALUES (:type1,:name1,:alias1,:user1,:filter1,:notes1) ON DUPLICATE KEY UPDATE - type='$type',name='$name',alias='$alias',filter='$filter',notes='$notes'"; + type=:type2,name=:name2,alias=:alias2,filter=:filter2,notes=:notes2"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":type1" => "$type", ":name1" => "$name", ":alias1" => "$alias", ":user1" => "$user", ":filter1" => "$filter", ":notes1" => "$notes", ":type2" => "$type", ":name2" => "$name", ":alias2" => "$alias", ":filter2" => "$filter", ":notes2" => "$notes"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } - mysql_query($query); - $result = mysql_error(); $return = array("msg" => $result); $theJSON = json_encode($return); break; case "remove" : - $alias = mysql_real_escape_string($_REQUEST['data']); - $query = "DELETE FROM filters WHERE username = '$user' AND (alias = '$alias' AND global = 0)"; - mysql_query($query); - $result = mysql_error(); + $alias = $_REQUEST['data']; + $statement = "DELETE FROM filters WHERE username = :user AND (alias = :alias AND global = 0)"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":user" => "$user", ":alias" => "$alias"]; + // execute the prepared statement with the params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } + $return = array("msg" => $result); $theJSON = json_encode($return); @@ -677,7 +763,12 @@ function cat() { list($cat, $msg, $lst) = explode("|||", $catdata); $msg = htmlentities($msg); - $cmd = "../.scripts/clicat.tcl 0 \"$usr\" \"$cat\" \"$msg\" \"$lst\""; + $cmdusr = escapeshellarg($usr); + $cmdcat = escapeshellarg($cat); + $cmdmsg = escapeshellarg($msg); + $cmdlst = escapeshellarg($lst); + + $cmd = "../.scripts/clicat.tcl 0 $cmdusr $cmdcat $cmdmsg $cmdlst"; $descspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w") @@ -698,7 +789,10 @@ function cat() { } function comments() { - $query = "SELECT COUNT(comment) AS f1, + // This function retrieves comments from the history table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + $statement = "SELECT COUNT(comment) AS f1, comment AS f2, u.username AS f3, MIN(timestamp) AS f4, @@ -711,53 +805,52 @@ function comments() { AND (comment NOT IN('NULL','Auto Update','') AND comment NOT LIKE ('autoid %')) GROUP BY comment ORDER BY f5 DESC"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function remove_comment() { + // This function removes a comment from the history table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; $comment = hextostr($_REQUEST['comment']); - $comment = mysql_real_escape_string($comment); - $query = "DELETE FROM sguildb.history WHERE comment = '$comment'"; - mysql_query($query); - $result = mysql_error(); + $comment = $comment; + $statement = "DELETE FROM history WHERE comment = :comment"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":comment" => "$comment"]; + // execute the prepared statement with the params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } $return = array("msg" => $result); - $theJSON = json_encode($return); echo $theJSON; } function map() { - global $when, $sensors; - $filter = hextostr($_REQUEST['filter']); - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } + // This function is called when the user clicks the SUMMARY tab. + // This function has been updated to use PDO prepared statements. - $srcq = "SELECT COUNT(src_ip) AS c, msrc.cc + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $srcstatement = "SELECT COUNT(src_ip) AS c, msrc.cc FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -769,7 +862,7 @@ function map() { GROUP BY msrc.cc ORDER BY c DESC"; - $dstq = "SELECT COUNT(dst_ip) AS c, mdst.cc + $dststatement = "SELECT COUNT(dst_ip) AS c, mdst.cc FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -780,16 +873,23 @@ function map() { AND mdst.cc IS NOT NULL GROUP BY mdst.cc ORDER BY c DESC"; - - $srcr = mysql_query($srcq); - $dstr = mysql_query($dstq); + // prepare statements + $srcquery = $dbpdo->prepare("$srcstatement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("srcstatement: $srcstatement"); + //error_log("dststatement: $dststatement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $srcquery->execute($merged_params); // A => src, B=> dst, C=> cumulative $a1 = $a2 = $b1 = $b2 = array(); $aHit = $bHit = $cHit = 'no'; // Source countries and count - while ($row = mysql_fetch_row($srcr)) { + while ($row = $srcquery->fetch(PDO::FETCH_NUM)) { $a1[] = $row[0]; $a2[] = $row[1]; $c1[] = $row[0]; @@ -798,10 +898,12 @@ function map() { $cHit = 'yes'; } + $dstquery = $dbpdo->prepare("$dststatement"); + $dstquery->execute($merged_params); // Destination countries and count // As we loop through we check to see if we hit a country // that we already processed so that we can derive a sum - while ($row = mysql_fetch_row($dstr)) { + while ($row = $dstquery->fetch(PDO::FETCH_NUM)) { $b1[] = $row[0]; $b2[] = $row[1]; if ($aHit == 'yes') { @@ -823,6 +925,7 @@ function map() { } $aSum = $bSum = $cSum = $aItems = $bItems = $cItems = 0; + $srcd = $dstd = $alld = ""; function makeDetail($x1,$x2) { $detail = ""; @@ -874,7 +977,11 @@ function makeDetail($x1,$x2) { } function sensors() { - $query = "SELECT net_name AS f1, + // This function gets the list of sensors. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + //$query = "SELECT net_name AS f1, + $statement = "SELECT net_name AS f1, hostname AS f2, agent_type AS f3, sensor.sid AS f4 @@ -882,26 +989,44 @@ function sensors() { WHERE agent_type != 'pcap' AND active = 'Y' ORDER BY net_name ASC"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function user_profile() { + // This function updates the timezone offset in the user profile. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; $tz = hextostr($_REQUEST['tz']); $validtz = "/^(-12:00|-11:00|-10:00|-09:30|-09:00|-08:00|-07:00|-06:00|-05:00|-04:30|-04:00|-03:30|-03:00|-02:00|-01:00|\+00:00|\+01:00|\+02:00|\+03:00|\+03:30|\+04:00|\+04:30|\+05:00|\+05:30|\+05:45|\+06:00|\+06:30|\+07:00|\+08:00|\+08:45|\+09:00|\+09:30|\+10:00|\+10:30|\+11:00|\+11:30|\+12:00|\+12:45|\+13:00|\+14:00)$/"; if (preg_match($validtz, $tz)) { - $query = "UPDATE user_info SET tzoffset = '$tz' WHERE username = '$user'"; - mysql_query($query); - $result = mysql_error(); + // prepare statement + $statement = "UPDATE user_info SET tzoffset = :tz WHERE username = :user"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":tz" => "$tz", ":user" => "$user"]; + // execute the prepared statement with the params + $query->execute($params); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } // Update session offset $_SESSION['tzoffset'] = $tz; } else { @@ -913,56 +1038,54 @@ function user_profile() { } function summary() { - global $when, $sensors; + // This function is called when the user clicks the SUMMARY tab. + // This function has been updated to use PDO prepared statements. + + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; $limit = $_REQUEST['limit']; $qargs = $_REQUEST['qargs']; $filter = hextostr($_REQUEST['filter']); list($type,$subtype) = explode("-", $qargs); $oppip = "src"; - if ($subtype == "src") { $oppip = "dst"; } - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } + // subtype is controlled by user, don't trust it + $cleansubtype = ""; + switch ($subtype) { + case "src": + $cleansubtype = "src"; + $oppip = "dst"; + break; + case "dst": + $cleansubtype = "dst"; + break; + case "sig": + $cleansubtype = "sig"; + break; + } switch ($type) { case "ip": - $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, - m{$subtype}.cc AS f4, - m{$subtype}.c_long AS f5, - INET_NTOA(event.{$subtype}_ip) AS f6, - o{$subtype}.value AS f7 + m{$cleansubtype}.cc AS f4, + m{$cleansubtype}.c_long AS f5, + INET_NTOA(event.{$cleansubtype}_ip) AS f6, + o{$cleansubtype}.value AS f7 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip - LEFT JOIN object_mappings AS o{$subtype} ON event.{$subtype}_ip = o{$subtype}.object - AND o{$subtype}.type = 'ip_c' + LEFT JOIN object_mappings AS o{$cleansubtype} ON event.{$cleansubtype}_ip = o{$cleansubtype}.object + AND o{$cleansubtype}.type = 'ip_c' $qp2 GROUP BY f6 ORDER BY f1 DESC"; break; case "pt": - $query = "SELECT COUNT(event.{$subtype}_port) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_port) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.src_ip)) AS f3, COUNT(DISTINCT(event.dst_ip)) AS f4, - event.{$subtype}_port AS f5 + event.{$cleansubtype}_port AS f5 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -971,7 +1094,7 @@ function summary() { ORDER BY f1 DESC"; break; case "sig": - $query = "SELECT COUNT(event.signature) AS f1, + $statement = "SELECT COUNT(event.signature) AS f1, COUNT(DISTINCT(event.src_ip)) AS f2, COUNT(DISTINCT(event.dst_ip)) AS f3, event.signature_id AS f4, @@ -984,64 +1107,62 @@ function summary() { ORDER BY f1 DESC"; break; case "cc": - $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, - m{$subtype}.cc AS f4, - m{$subtype}.c_long AS f5, - COUNT(DISTINCT(event.{$subtype}_ip)) AS f6 + m{$cleansubtype}.cc AS f4, + m{$cleansubtype}.c_long AS f5, + COUNT(DISTINCT(event.{$cleansubtype}_ip)) AS f6 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip $qp2 - AND event.{$subtype}_ip NOT BETWEEN 167772160 AND 184549375 - AND event.{$subtype}_ip NOT BETWEEN 2886729728 AND 2886795263 - AND event.{$subtype}_ip NOT BETWEEN 3232235520 AND 3232301055 - AND m{$subtype}.cc IS NOT NULL GROUP BY m{$subtype}.cc ORDER BY f1 DESC"; + AND event.{$cleansubtype}_ip NOT BETWEEN 167772160 AND 184549375 + AND event.{$cleansubtype}_ip NOT BETWEEN 2886729728 AND 2886795263 + AND event.{$cleansubtype}_ip NOT BETWEEN 3232235520 AND 3232301055 + AND m{$cleansubtype}.cc IS NOT NULL GROUP BY m{$cleansubtype}.cc ORDER BY f1 DESC"; break; } - $result = mysql_query($query); + + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + $rows = array(); $i = 0; $n = 0; - $r = mysql_num_rows($result); - while ($row = mysql_fetch_assoc($result)) { + // unbuffered query can't do rowCount, replacing with $i below + //$r = $query->rowCount(); + + # iterate through each row of the filter table + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $n += $row["f1"]; $i++; if ($i <= $limit) $rows[] = $row; } - $rows[] = array("n" => $n, "r" => $r); + $rows[] = array("n" => $n, "r" => $i); $theJSON = json_encode($rows); echo $theJSON; } function view() { - global $when, $sensors; + // This function is called when the user clicks the VIEWS tab. + // This function has been updated to use PDO prepared statements. + + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; $qargs = $_REQUEST['qargs']; $filter = hextostr($_REQUEST['filter']); list($type,$subtype) = explode("-", $qargs); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } - switch ($type) { case "ip": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, COUNT(event.src_ip) AS value FROM event @@ -1052,7 +1173,7 @@ function view() { GROUP BY source,target"; break; case "ips": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, event.signature AS sig, CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, COUNT(event.src_ip) AS value @@ -1064,7 +1185,7 @@ function view() { GROUP BY source,target"; break; case "sc": - $query = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, + $statement = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, CONCAT_WS('|',INET_NTOA(event.dst_ip), mdst.cc) AS target, COUNT(event.src_ip) AS value FROM event @@ -1078,7 +1199,7 @@ function view() { GROUP BY source,target"; break; case "dc": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, CONCAT_WS('|', mdst.c_long, mdst.cc) AS target, COUNT(event.dst_ip) AS value FROM event @@ -1092,18 +1213,23 @@ function view() { GROUP BY source,target"; break; } - $result = mysql_query($query); - $rc = mysql_num_rows($result); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + + // unbuffered query can't do rowCount, replacing with $records below + //$rc = $query->rowCount(); $records = 0; $rows = $srcs = $tgts = $vals = $skip = $names = $_names = array(); - - if ($rc == 0) { - $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); - echo $theJSON; - exit(); - } - - while ($row = mysql_fetch_assoc($result)) { +/* +*/ + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { if ($type == "ips") { $srcs[] = $row["source"]; $tgts[] = $row["sig"]; @@ -1119,6 +1245,12 @@ function view() { $sads[] = 0; $records++; } + + if ($records == 0) { + $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); + echo $theJSON; + exit(); + } // Value counts $src_c = array_count_values($srcs); $tgt_c = array_count_values($tgts); @@ -1128,33 +1260,33 @@ function view() { foreach ($srcs as $index => $src) { // Find the target if (in_array($index, $skip)) { continue; } - $tgt = $tgts[$index]; - // Find the keys for all instances of the target as a source - $tgt_keys = array_keys($srcs,$tgt); - // Now see if any have the source as a target - foreach ($tgt_keys as $pos) { - if ($tgts[$pos] == $src) { - $sads_val = $vals[$pos]; - unset($srcs[$pos]); - unset($tgts[$pos]); - unset($vals[$pos]); - unset($sads[$pos]); - // Add offset to be skipped - $skip[] = $pos; - // By setting this we flag that this source is also a target - $sads[$index] = $sads_val; + $tgt = $tgts[$index]; + // Find the keys for all instances of the target as a source + $tgt_keys = array_keys($srcs,$tgt); + // Now see if any have the source as a target + foreach ($tgt_keys as $pos) { + if ($tgts[$pos] == $src) { + $sads_val = $vals[$pos]; + unset($srcs[$pos]); + unset($tgts[$pos]); + unset($vals[$pos]); + unset($sads[$pos]); + // Add offset to be skipped + $skip[] = $pos; + // By setting this we flag that this source is also a target + $sads[$index] = $sads_val; + } } - } - // If there is no filter, remove 1:1s with a count of 1 - if ($filter == 'empty') { - if ($vals[$index] == 1 && $sads[$index] == 0 && $src_c[$src] == 1) { - unset($srcs[$index]); - unset($tgts[$index]); - unset($vals[$index]); - unset($sads[$index]); - } - } + // If there is no filter, remove 1:1s with a count of 1 + if ($filter == 'empty') { + if ( isset($vals[$index]) && $vals[$index] == 1 && isset($sads[$index]) && $sads[$index] == 0 && isset($src_c[$src]) && $src_c[$src] == 1) { + unset($srcs[$index]); + unset($tgts[$index]); + unset($vals[$index]); + unset($sads[$index]); + } + } } // We have probably truncated these so realign the indexes @@ -1199,29 +1331,34 @@ function view() { } function autocat() { + // This function queries and updates sguild's list of autocats. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $usr = $_SESSION['sUser']; $pwd = $_SESSION['sPass']; $offset = $_SESSION['tzoffset']; - $mode = mysql_real_escape_string($_REQUEST['mode']); + $mode = $_REQUEST['mode']; switch ($mode) { case "query" : - $query = "SELECT autoid, CONVERT_TZ(erase,'+00:00','$offset') AS erase, sensorname, + // build statement + $statement = "SELECT autoid, CONVERT_TZ(erase,'+00:00', :offset1) AS erase, sensorname, src_ip, src_port, dst_ip, dst_port, ip_proto, - signature, status, active, CONVERT_TZ(timestamp,'+00:00','$offset') AS ts, + signature, status, active, CONVERT_TZ(timestamp,'+00:00', :offset2) AS ts, u.username AS user, comment FROM autocat LEFT JOIN user_info AS u ON autocat.uid = u.uid ORDER BY ts DESC"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } - + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":offset1" => "$offset", ":offset2" => "$offset"]; + // execute the prepared statement with the params + $query->execute($params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); break; @@ -1235,7 +1372,19 @@ function autocat() { $expires = gmdate("Y-m-d H:i:s", strtotime("+ $expires")); } - $cmd = "../.scripts/clicat.tcl 1 \"$usr\" \"$expires\" \"$v[sensor]\" \"$v[src_ip]\" \"$v[src_port]\" \"$v[dst_ip]\" \"$v[dst_port]\" \"$v[proto]\" \"$v[signature]\" \"$v[status]\" \"$v[comment]\""; + $cmdusr = escapeshellarg($usr); + $cmdexpires = escapeshellarg($expires); + $cmdsensor = escapeshellarg($v['sensor']); + $cmdsrcip = escapeshellarg($v['src_ip']); + $cmdsrcport = escapeshellarg($v['src_port']); + $cmddstip = escapeshellarg($v['dst_ip']); + $cmddstport = escapeshellarg($v['dst_port']); + $cmdproto = escapeshellarg($v['proto']); + $cmdsignature = escapeshellarg($v['signature']); + $cmdstatus = escapeshellarg($v['status']); + $cmdcomment = escapeshellarg($v['comment']); + + $cmd = "../.scripts/clicat.tcl 1 $cmdusr $cmdexpires $cmdsensor $cmdsrcip $cmdsrcport $cmddstip $cmddstport $cmdproto $cmdsignature $cmdstatus $cmdcomment"; $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $proc = proc_open($cmd, $descspec, $pipes); $debug = "Process execution failed"; @@ -1259,7 +1408,11 @@ function autocat() { $type = 3; } - $cmd = "../.scripts/clicat.tcl $type \"$usr\" $id"; + $cmdtype = escapeshellarg($type); + $cmdusr = escapeshellarg($usr); + $cmdid = escapeshellarg($id); + + $cmd = "../.scripts/clicat.tcl $cmdtype $cmdusr $cmdid"; $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $proc = proc_open($cmd, $descspec, $pipes); $debug = "Process execution failed"; @@ -1272,10 +1425,22 @@ function autocat() { } if ($rm == 1) { - $query = "DELETE FROM autocat WHERE autoid = $id"; + $statement = "DELETE FROM autocat WHERE autoid = :id"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":id" => "$id"]; + // execute the prepared statement with the params + $query->execute($params); + $result = $query->errorInfo(); + $err = ""; + // if there was no error, then $result[2] should be null + if ( ! is_null($result[2]) ) { + $err = $result[2]; + } - mysql_query($query); - $err = mysql_error(); } $result = array("dbg" => htmlspecialchars($debug), @@ -1365,11 +1530,13 @@ function esquery() { } function addremoveobject() { - $user = $_SESSION['sUser']; - $obtype = mysql_real_escape_string($_REQUEST['obtype']); - $object = mysql_real_escape_string(hextostr($_REQUEST['object'])); - $value = mysql_real_escape_string($_REQUEST['value']); - $op = mysql_real_escape_string($_REQUEST['op']); + // This function adds objects to and removes objects from the object_mappings table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + $obtype = $_REQUEST['obtype']; + $object = hextostr($_REQUEST['object']); + $value = $_REQUEST['value']; + $op = $_REQUEST['op']; // For everything but tags we want to replace the existing value $hash = md5($obtype . $object); @@ -1383,48 +1550,70 @@ function addremoveobject() { break; } + // Are we adding or removing? switch ($op) { case "add": - $query = "INSERT INTO object_mappings (type,object,value,hash) - VALUES ('$obtype','$object','$value','$hash') + // If adding object, insert into table. + $statement = "INSERT INTO object_mappings (type,object,value,hash) + VALUES (:obtype1,:object1,:value1,:hash1) ON DUPLICATE KEY UPDATE - type='$obtype',object='$object',value='$value',hash='$hash'"; + type=:obtype2,object=:object2,value=:value2,hash=:hash2"; + // build parameters for prepared statement + $params = [":obtype1" => "$obtype", ":object1" => "$object", ":value1" => "$value", ":hash1" => "$hash", ":obtype2" => "$obtype", ":object2" => "$object", ":value2" => "$value", ":hash2" => "$hash"]; break; case "rm": - $query = "DELETE FROM object_mappings WHERE hash = '$hash'"; + // If removing object, delete from table. + $statement = "DELETE FROM object_mappings WHERE hash = :hash"; + // build parameters for prepared statement + $params = [":hash" => "$hash"]; break; } - - mysql_query($query); - $result = mysql_error(); - $return = array("msg" => $result); - + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement with the params + $query->execute($params); + // check for errors + $result = $query->errorInfo(); + $error = ""; + // if there was no error, then $result[2] should be null + if ( ! is_null($result[2]) ) { + $error = $result[2]; + } + $return = array("msg" => $error); $theJSON = json_encode($return); echo $theJSON; } function getcolour() { - $user = $_SESSION['sUser']; - - $query = "SELECT object, value AS colour + // This function gets the color mappings from the object_mappings table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + // build statement + $statement = "SELECT object, value AS colour FROM object_mappings WHERE type = 'el_c'"; - - $result = mysql_query($query); - $rows = array(); - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function objhistory () { - global $offset, $start, $sdate; + // This function returns the history for an object over the last 7 days. + // This function has been updated to use PDO prepared statements. + global $offset, $start, $sdate, $sdatetime, $offset, $dbpdo; $object = hextostr($_REQUEST['object']); $object = str_replace("aa", "", $object); - // Plant, animal or mineral? + // Is object an IP address? $re = '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/'; $obtype = 0; if (preg_match($re, $object)) { @@ -1432,45 +1621,66 @@ function objhistory () { } switch ($obtype) { - case 0: $subject = "signature_id = '$object'"; break; - case 1: $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; break; - } - - $query = "SELECT - DATE(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS day, - HOUR(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS hour, + case 0: + $subject = "signature_id = :object"; + $statement = "SELECT + DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, + HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, COUNT(event.timestamp) AS value FROM event - WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY - AND $subject + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY + AND signature_id = :object GROUP BY day,hour ORDER BY day ASC"; + $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object" => "$object"]; + break; + + case 1: + $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; + $statement = "SELECT + DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, + HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, + COUNT(event.timestamp) AS value + FROM event + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY + AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) + GROUP BY day,hour + ORDER BY day ASC"; + $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object1" => "$object", ":object2" => "$object"]; + break; + } + $query = $dbpdo->prepare("$statement"); + // original used unbuffered query, but that doesn't seem to work with PDO? + //$result = mysql_unbuffered_query($query); + //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); + $query->execute(array_merge($params)); $rows1 = $rows2 = array(); $r1 = $r2 = 0; - - $result = mysql_unbuffered_query($query); - - while ($row = mysql_fetch_assoc($result)) { + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows1[] = $row; $r1++; } - $result = ""; if ($r1 != 0 && $obtype == 1) { - $query = "SELECT + $statement = "SELECT COUNT(signature_id) AS value, signature AS label, signature_id AS sid FROM event - WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY - AND $subject + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset1,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset2,'+00:00') + INTERVAL 1 DAY + AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) GROUP BY signature_id ORDER BY value DESC"; - $result = mysql_unbuffered_query($query); - while ($row = mysql_fetch_assoc($result)) { + $params = [":sdatetime1" => "$sdatetime", ":offset1" => "$offset", ":sdatetime2" => "$sdatetime", ":offset2" => "$offset", ":object1" => "$object", ":object2" => "$object"]; + // original used unbuffered query, but that doesn't seem to work with PDO? + //$result = mysql_unbuffered_query($query); + //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); + $query = $dbpdo->prepare("$statement"); + $query->execute(array_merge($params)); + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows2[] = $row; $r2++; } @@ -1481,34 +1691,35 @@ function objhistory () { } function times() { - global $offset, $when, $sensors; - $filter = hextostr($_REQUEST['filter']); - if ($filter != 'empty') { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } else { - $qp2 = "WHERE $when - $sensors"; - } + // This function returns data to the times visualization on the EVENTS tab. + // This function has been updated to use PDO prepared statements. - $query = "SELECT - SUBSTRING(CONVERT_TZ(timestamp,'+00:00','$offset'),12,5) AS time, + global $offset, $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $statement = "SELECT + SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00',:substringoffset),12,5) AS time, COUNT(signature) AS count FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip $qp2 GROUP BY time - ORDER BY timestamp"; - $result = mysql_query($query); + ORDER BY event.timestamp"; + // add params for local part of statement + $local_params[':substringoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + $rows = array(); $r = $m = 0; - while ($row = mysql_fetch_assoc($result)) { + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows[] = $row; $cnts[] = $row['count']; $r++; diff --git a/.inc/functions.php b/.inc/functions.php index 5ac759c..5adeea8 100644 --- a/.inc/functions.php +++ b/.inc/functions.php @@ -56,13 +56,13 @@ function retSD($x) { function dbC() { if (file_exists('.inc/config.php')) { global $dbHost,$dbName,$dbUser,$dbPass; - $link = mysql_connect($dbHost,$dbUser,$dbPass); + $link = mysqli_connect($dbHost,$dbUser,$dbPass); if (!$link) { die('Connection failed: ' . mysql_error()); } - $db = mysql_select_db($dbName,$link); + $db = mysqli_select_db($link,$dbName); if (!$db) { die('Database selection failed: ' . mysql_error()); diff --git a/.inc/ip2c.php b/.inc/ip2c.php index 7613e72..7415461 100755 --- a/.inc/ip2c.php +++ b/.inc/ip2c.php @@ -19,41 +19,38 @@ // // -function IP2C($string,$isCLI) { +include_once "config.php"; +include_once "functions.php"; - include_once "config.php"; - include_once "functions.php"; +$db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); +mysqli_select_db($db,$dbName) or die(mysqli_error($db)); - if ($isCLI == 'NO') { - // Running from a browser - $when = 'WHERE ' . hextostr($string) . ' AND '; - } else { - // Running from the command line - if ($string == 0) { - $when = "WHERE "; - } - - if ($string == 1) { - $startDate = gmdate("Y-m-d"); - $startTime = "00:00:00"; - $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); - $endTime = "00:00:00"; - $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; - } +function IP2C($string) { - echo "Performing base queries (this can take a while)..\n\n"; + if ($string == 0) { + $when = "WHERE "; + } + if ($string == 1) { + $startDate = gmdate("Y-m-d"); + $startTime = "00:00:00"; + $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); + $endTime = "00:00:00"; + $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; } + echo "Performing base queries (this can take a while)..\n\n"; + function lookup($list) { - while ($row = mysql_fetch_row($list)) { + global $db; + while ($row = mysqli_fetch_row($list)) { $ip = $row[0]; $dot = long2ip((float)$ip); - $ipLookup = mysql_query("SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE + $ipLookup = mysqli_query($db,"SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE $ip >=start_ip AND $ip <= end_ip LIMIT 1"); - $result = mysql_fetch_array($ipLookup); + $result = mysqli_fetch_array($ipLookup); if ($result) { $registry = $result[0]; @@ -63,7 +60,7 @@ function lookup($list) { $date = $result[4]; $status = $result[5]; - mysql_query("REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) + mysqli_query($db,"REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) VALUES (\"$registry\",\"$cc\",\"$c_long\",\"$type\",\"$ip\",\"$date\",\"$status\")"); echo "-- Mapped $dot ($ip) to $cc ($c_long)\n"; } @@ -71,52 +68,39 @@ function lookup($list) { } } - // DB Connect - $db = mysql_connect($dbHost,$dbUser,$dbPass) or die(mysql_error()); - mysql_select_db($dbName,$db) or die(mysql_error()); - // Start timing $st = microtime(true); - $sipList = mysql_query("SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + + // DB Connect + global $db; + $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip WHERE (m.ip IS NULL OR m.cc = '01')"); - $dipList = mysql_query("SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip + $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip WHERE (m.ip IS NULL OR m.cc = '01')"); $sipCount = $dipCount = 0; if ($sipList) { - $sipCount = mysql_num_rows($sipList); + $sipCount = mysqli_num_rows($sipList); if ($sipCount > 0) { lookup($sipList); } } if ($dipList) { - $dipCount = mysql_num_rows($dipList); + $dipCount = mysqli_num_rows($dipList); if ($dipCount > 0) { lookup($dipList); } } - $allRecs = mysql_query("SELECT COUNT(*) FROM mappings"); - $allCount = mysql_fetch_row($allRecs); + $allRecs = mysqli_query($db,"SELECT COUNT(*) FROM mappings"); + $allCount = mysqli_fetch_row($allRecs); // Stop Timing $et = microtime(true); $time = $et - $st; $rt = sprintf("%01.3f",$time); - if ($isCLI == 'NO') { - - $html = "\r - \r - \r - \r - \r - \r
 -> Query Time: $rt seconds
 -> Source Count: $sipCount
 -> Destination Count: $dipCount
 -> Total Mapped: $allCount[0]
"; - - return $html; - } - - if ($isCLI == 'YES' && $string == 0) { + if ($string == 0) { echo "\n-> Query Time: $rt seconds \r-> Source Count: $sipCount \r-> Destination Count: $dipCount @@ -125,24 +109,6 @@ function lookup($list) { } -function TheHTML($string) { - - echo "\r - \r - \r - \r - \r - \r - \r
- \r
- \r - \r

- \r - \r
- \r - \r"; -} - if (isset($argc)) { if ($argc == 1 || $argc > 2 || $argv[1] > 1 || !is_numeric($argv[1])) { @@ -153,21 +119,8 @@ function TheHTML($string) { \r1 - Update. This is intended to be called via Cron\n\n"; exit; } else { - IP2C($argv[1],'YES'); - } - -} else { - - $html = ''; - - if(!isset($_REQUEST['qText'])) { $string = $_REQUEST['qp']; } else { $string = $_REQUEST['qText']; } - - if (@$_REQUEST['csync']) { - $string = $_REQUEST['qText']; - $html = IP2C($string,'NO'); + IP2C($argv[1]); } - TheHTML($string); - echo $html; } ?> diff --git a/.inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh b/.inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh old mode 100755 new mode 100644 diff --git a/.js/squertBoxes.js b/.js/squertBoxes.js index 50d5b51..3606206 100644 --- a/.js/squertBoxes.js +++ b/.js/squertBoxes.js @@ -490,7 +490,7 @@ $(document).ready(function(){ } } if (emptyVal > 0) throw 0; - + // Sanitize alias var re = /^[?a-zA-Z][\w-]*$/; var OK = re.exec(filterTxt.alias); @@ -503,7 +503,26 @@ $(document).ready(function(){ // Make sure we dont match a builtin var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; if (builtins.indexOf(filterTxt.alias) != -1) throw 1; - + + // Sanitize name + var re = /^[?a-zA-Z][\w-\s]*$/; + var OK = re.exec(filterTxt.name); + if (!OK) throw 2; + if (filterTxt.name == "New") throw 2; + + // If creating a new filter make sure this name doesn't already exist + if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; + + // Sanitize notes + var re = /^[?a-zA-Z][\w-.\s]*$/; + var OK = re.exec(filterTxt.notes); + if (!OK) throw 2; + + // Sanitize url + var re = /^[?\/a-zA-Z0-9.\/:?${}(),_!&'@=\-\*#%]*$/; + var OK = re.exec(filterTxt.url); + if (!OK) throw 3; + // Continue.. oldCL = currentCL; var ftype = $(".hp_type_active").data("val"); @@ -553,13 +572,23 @@ $(document).ready(function(){ eMsg += "Aa-Zz, 0-9, - and _ . "; eMsg += "The word \"New\" is reserved and may not be used."; break; + case 2: + eMsg += "
Error! " + eMsg += "Valid characters are: "; + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; + case 3: + eMsg += "
Error! " + eMsg += "URL format not valid!"; + break; default: eMsg += "
Format error! "; eMsg += "Please ensure the format above is valid JSON. "; - eMsg += "I am looking for an opening curly brace \"{\" followed by \"object\": \"value\" "; + eMsg += "Ex. An opening curly brace \"{\" followed by \"object\": \"value\" "; eMsg += "pairs.
Each \"object\": \"value\" pair terminates with a comma \",\" except "; eMsg += "the last pair before the closing curly brace \"}\"."; - eMsg += " Strings must be enclosed within double quotes."; + eMsg += "Strings must be enclosed within double quotes."; break; } $('.filter_error').append(eMsg); diff --git a/.js/squertMain.js b/.js/squertMain.js index cfa8f3d..3734873 100644 --- a/.js/squertMain.js +++ b/.js/squertMain.js @@ -432,7 +432,8 @@ $(document).ready(function(){ // Logout $("#logout").click(function(event) { - $.get("index.php?id=0", function(){location.reload()}); + //$.get("/logout.html", function(){location.reload()}); + location.replace("/logout.html"); }); // Toggle filters @@ -1309,11 +1310,23 @@ $(document).ready(function(){ } // Transcript link + // original Squert native pivot: + //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); + //txBit = "" + sid + "." + cid + ""; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - - txBit = "" + sid + "." + cid + ""; + txBit = "" + sid + "." + cid + ""; if (src_port != "-" && dst_port != "-") { - txBit = "" + sid + "." + cid + ""; + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; } row += "" + sid + "." + cid + ""; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - - txBit = "" + sid + "." + cid + ""; + txBit = "" + sid + "." + cid + ""; if (src_port != "-" && dst_port != "-") { - txBit = "" + sid + "." + cid + ""; + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; } - + row += ""; row += ""; @@ -1798,9 +1823,7 @@ $(document).ready(function(){ var tmp = h2s(theData[2].data_payload).split("\n"); p_ascii = ''; for (var i in tmp) { - var parts = tmp[i].split(":\t"); - p_ascii += "
" + parts[0] + "
"; - p_ascii += "
" + parts[1] + "
"; + p_ascii += "
" + tmp[i] + "
"; } } @@ -1990,12 +2013,13 @@ $(document).ready(function(){ var objhex = s2h(suffix); var tbl = '', row = ''; // Local stuff first + // Commented out SEARCH row to reduce pivot switch (prefix[prefix.length - 1]) { case "c": row += ":: SRC or DST"; row += ":: SRC"; row += ":: DST"; - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "p": row += ":: SRC or DST"; @@ -2005,7 +2029,7 @@ $(document).ready(function(){ if ($('.sigtxt')[0]) { row += ":: HISTORY"; } - row += ":: SEARCH"; + //row += ":: SEARCH"; row += ":: COLOUR  "; row += ""; row += "apply"; @@ -2015,14 +2039,14 @@ $(document).ready(function(){ case "t": row += ":: SRC"; row += ":: DST"; - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "d": row += ":: SIGNATURE"; if ($('.sigtxt')[0]) { row += ":: HISTORY"; } - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "l": row += ":: COLOUR  "; @@ -2031,7 +2055,7 @@ $(document).ready(function(){ doexternals = "no"; break; case "z": - row += ":: SEARCH"; + //row += ":: SEARCH"; break; } diff --git a/.scripts/clicat.tcl b/.scripts/clicat.tcl index 3a15f34..3abc1b6 100755 --- a/.scripts/clicat.tcl +++ b/.scripts/clicat.tcl @@ -1,4 +1,4 @@ -#!/usr/local/bin/tclsh +#!/usr/bin/tclsh # clicat.tcl - Based on "quickscript.tcl" # Portions Copyright (C) 2013 Paul Halliday diff --git a/.scripts/ip2c.tcl b/.scripts/ip2c.tcl index 9a450cc..498961f 100755 --- a/.scripts/ip2c.tcl +++ b/.scripts/ip2c.tcl @@ -403,8 +403,7 @@ if {$fail == "no"} { set x [expr $x - 1] } } else { - puts "Checksum not found. Retrying..\n" - set x [expr $x - 1] + puts "Checksum not found. Skipping..\n" } } diff --git a/.scripts/securityonion-squert.cnf b/.scripts/securityonion-squert.cnf new file mode 100644 index 0000000..1872c5b --- /dev/null +++ b/.scripts/securityonion-squert.cnf @@ -0,0 +1,6 @@ +[mysqld] +group_concat_max_len = 1000000 +sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + +[mysqltcl] +local-infile=1 diff --git a/.scripts/securityonion_create_elsa_link.sh b/.scripts/securityonion_create_elsa_link.sh new file mode 100644 index 0000000..abf1f21 --- /dev/null +++ b/.scripts/securityonion_create_elsa_link.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +MYSQL="mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e" + +if [ -d /var/lib/mysql/securityonion_db/ ]; then + + # Configure Squert to pivot to ELSA or Elastic for lookups. + + # ELSA lookup + if grep "ELSA=YES" /etc/nsm/securityonion.conf >/dev/null 2>&1; then + if grep "pcap_url" /etc/elsa_web.conf >/dev/null 2>&1; then + #IP=`grep "pcap_url" /etc/elsa_web.conf | head -1 | cut -d\/ -f3` + URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" + HEXVAL=$(xxd -pu -c 256 <<< "$URL") + $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" + fi + fi + + # Elastic lookup + if grep 'KIBANA_ENABLED="yes"' /etc/nsm/securityonion.conf >/dev/null 2>&1; then + # Remove ELSA link from Squert + mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'delete from filters where alias="ELSA";' + # Add Elastic link to Squert + ALIAS="Kibana" + HEXALIAS=$(xxd -pu -c 256 <<< "$ALIAS") + URL="/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\"\${var}\"')),sort:!('@timestamp',desc))" + HEXURL=$(xxd -pu -c 356 <<< "$URL") + $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','$HEXALIAS','','$ALIAS','$HEXURL');" + fi + +fi diff --git a/.scripts/securityonion_update.sh b/.scripts/securityonion_update.sh new file mode 100644 index 0000000..21b5a5d --- /dev/null +++ b/.scripts/securityonion_update.sh @@ -0,0 +1,63 @@ +#!/bin/bash + +MYSQL="mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e" + +if [ -d /var/lib/mysql/securityonion_db/ ]; then + + # Non-idempotent operations + + # history table - comment index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'comment'" | grep comment >/dev/null 2>&1 || + $MYSQL "CREATE INDEX comment ON history (comment(50));" + + # history table - sid index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'sid'" | grep sid >/dev/null 2>&1 || + $MYSQL "CREATE INDEX sid ON history (sid);" + + # history table - cid index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'cid'" | grep cid >/dev/null 2>&1 || + $MYSQL "CREATE INDEX cid ON history (cid);" + + # user_info table - email + $MYSQL "DESCRIBE user_info" | grep email >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD email VARCHAR(320) NOT NULL DEFAULT 'none';" + + # user_info table - type + $MYSQL "DESCRIBE user_info" | grep type >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD type ENUM('ADMIN','USER') NOT NULL DEFAULT 'USER';" + + # user_info table - timeout + $MYSQL "DESCRIBE user_info" | grep timeout >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD timeout SMALLINT UNSIGNED NOT NULL DEFAULT '5000';" + + # user_info table - tzoffset + $MYSQL "DESCRIBE user_info" | grep tzoffset >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD tzoffset varchar(6) NOT NULL DEFAULT '+00:00';" + + # filters table - type + if $MYSQL "DESCRIBE filters" | grep type >/dev/null 2>&1 ; then + echo "filters table already has type field." + else + echo "Adding type field to filters table." + $MYSQL "ALTER TABLE filters ADD type VARCHAR(16) FIRST;" + $MYSQL "ALTER TABLE filters ADD INDEX type (type);" + $MYSQL "UPDATE filters SET type = 'filter' WHERE type IS NULL;;" + fi + + # object_mappings table - hash + if $MYSQL "DESCRIBE object_mappings" | grep hash >/dev/null 2>&1 ; then + echo "object_mappings table already has hash field." + else + echo "Adding hash field to object_mappings table." + $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" + $MYSQL "UPDATE object_mappings SET hash=md5(concat(type,object,value)) WHERE hash IS NULL;" + $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" + fi + + # Idempotent operations + cat /var/www/so/squert/.scripts/securityonion_update.sql | mysql --defaults-file=/etc/mysql/debian.cnf -U securityonion_db > /var/log/nsm/squert_update.log + + # ELSA lookup + bash /var/www/so/squert/.scripts/securityonion_create_elsa_link.sh + +fi diff --git a/.scripts/securityonion_update.sql b/.scripts/securityonion_update.sql new file mode 100644 index 0000000..4efc304 --- /dev/null +++ b/.scripts/securityonion_update.sql @@ -0,0 +1,142 @@ +CREATE TABLE IF NOT EXISTS ip2c +( + registry VARCHAR(7), + cc VARCHAR(2), + c_long VARCHAR(255), + type VARCHAR(4), + start_ip INT UNSIGNED NOT NULL DEFAULT 0, + end_ip INT UNSIGNED NOT NULL DEFAULT 0, + date DATETIME, + status VARCHAR(25), + INDEX registry (registry), + INDEX cc (cc), + INDEX c_long (c_long), + INDEX type (type), + INDEX start_ip (start_ip), + INDEX end_ip (end_ip) +); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','167772160','184549375','1996-02-01','allocated'); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','2886729728','2886795263','1996-02-01','allocated'); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','3232235520','3232301055','1996-02-01','allocated'); + +CREATE TABLE IF NOT EXISTS mappings +( + registry VARCHAR(7), + cc VARCHAR(2), + c_long VARCHAR(255), + type VARCHAR(4), + ip INT UNSIGNED NOT NULL DEFAULT 0, + date DATETIME, + status VARCHAR(25), + age TIMESTAMP, + PRIMARY KEY (ip), + INDEX registry (registry), + INDEX cc (cc), + INDEX c_long (c_long), + INDEX age (age) +); + +CREATE TABLE IF NOT EXISTS stats +( + timestamp DATETIME, + type TINYINT, + object INT UNSIGNED NOT NULL DEFAULT 0, + count INT UNSIGNED NOT NULL DEFAULT 0, + INDEX type (type), + INDEX object (object) +); + +CREATE TABLE IF NOT EXISTS stat_types +( + type TINYINT, + description VARCHAR(255) +); + +INSERT IGNORE INTO stat_types (type,description) VALUES ('1','Event Severity'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('2','Sensor ID'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('3','Source IP'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('4','Destination IP'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('5','Signature ID'); + +CREATE TABLE IF NOT EXISTS object_mappings +( + type VARCHAR(4), + object VARCHAR(255), + value VARCHAR(255), + hash CHAR(32), + INDEX type (type), + INDEX object (object), + PRIMARY KEY (hash) +); + +CREATE TABLE IF NOT EXISTS filters +( + type VARCHAR(16), + name VARCHAR(255), + alias VARCHAR(12), + username VARCHAR(16), + filter BLOB, + notes VARCHAR(255) NOT NULL DEFAULT 'None.', + global TINYINT(1) NOT NULL DEFAULT 0, + age TIMESTAMP, + INDEX type (type), + PRIMARY KEY (username,alias) +); + +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20436F756E74727920436F6465','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','cc','286D7372632E6363203D20272427204F52206D6473742E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','dip','286473745F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E20506F7274','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','dpt','286473745F706F7274203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','ip','287372635F6970203D20494E45545F41544F4E2827242729204F52206473745F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D205369676E6174757265204944','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sid','287369676E61747572655F6964203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D205369676E6174757265','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sig','287369676E6174757265204C494B45202725242527204F52207369676E6174757265204C494B4520272524252729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F75726365204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sip','287372635F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F7572636520506F7274','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','spt','287372635F706F7274203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F7572636520436F756E74727920436F6465','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','scc','286D7372632E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E20436F756E74727920436F6465','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','dcc','286D6473742E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D204576656E7420537461747573','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','st','286576656e742e737461747573203d2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5669727573546f74616c','','VirusTotal','68747470733a2f2f7777772e7669727573746f74616c2e636f6d2f656e2f69702d616464726573732f247b7661727d2f696e666f726d6174696f6e2f0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','446f6d61696e546f6f6c73','','DomainTools','687474703a2f2f77686f69732e646f6d61696e746f6f6c732e636f6d2f247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','43656e7472616c4f7073','','CentralOps','687474703a2f2f63656e7472616c6f70732e6e65742f636f2f446f6d61696e446f73736965722e617370783f616464723d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','476f6f676c65','','Google','68747470733a2f2f7777772e676f6f676c652e636f6d2f7365617263683f713d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','42696e67','','Bing','68747470733a2f2f7777772e62696e672e636f6d2f7365617263683f713d6970253341247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','416c657861','','Alexa','687474703a2f2f7777772e616c6578612e636f6d2f73697465696e666f2f247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5361666542726f7773696e67','','SafeBrowsing','68747470733a2f2f7777772e676f6f676c652e636f6d2f7361666562726f7773696e672f646961676e6f737469633f736974653d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5a657573547261636b6572','','ZeusTracker','68747470733a2f2f7a657573747261636b65722e61627573652e63682f6d6f6e69746f722e7068703f7365617263683d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','4d616c77617265446f6d61696e4c697374','','MDL','687474703a2f2f7777772e6d616c77617265646f6d61696e6c6973742e636f6d2f6d646c2e7068703f7365617263683d247b7661727d0a'); + + +GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; + +GRANT DELETE on autocat to 'readonly'@'localhost'; + +GRANT DELETE on history to 'readonly'@'localhost'; + +GRANT UPDATE on user_info TO 'readonly'@'localhost'; + +GRANT INSERT,UPDATE ON object_mappings TO 'readonly'@'localhost'; diff --git a/README.md b/README.md index ef9b0b5..f42af43 100644 --- a/README.md +++ b/README.md @@ -1,165 +1,9 @@ ## squert - A Simple Query and Report Tool - -####### - -NOTE: This project is no longer in active develpment. See [here](http://www.pintumbler.org/words/youcantgobackonlyforward) for more detail. -Thanks to everyone that has supported me through the years while I worked on this. - -####### - - - -Home: [http://www.squertproject.org](http://www.squertproject.org) - -Talk: [Version 1.3 @CANHEIT 2014](http://www.pintumbler.org/squert-canheit2014.pdf) - -Intro: [http://www.youtube.com/watch?v=ZOsVw96XM8E](http://www.youtube.com/watch?v=ZOsVw96XM8E) - -Changes v1.1.6: [http://www.youtube.com/watch?v=_eheJv0MJDY](http://www.youtube.com/watch?v=_eheJv0MJDY) - -Changes v1.1.9: [http://www.youtube.com/watch?v=QkgrigopfQA](http://www.youtube.com/watch?v=QkgrigopfQA) - -Changes v1.2.0: Cleanup. Removed fixed credentials in sguil helpers. - -Changes v1.3.0: - -* ElasticSearch queries (Bro) -* Autocat editor -* Significant interface changes - -See: [Changes v1.3.0](http://www.squertproject.org/summaryofchangesforsquertversion130) - -Changes v1.4.0: - -* URLs -* Moved to menu on click -* Bugfixes - -See: [Changes v1.4.0](http://www.squertproject.org/summaryofchangesforsquertversion140) - -Changes v1.5.0 - -* Control layout changes -* Object colouring from context menu -* Bugfixes - -See: [Changes v1.5.0](http://www.squertproject.org/summaryofchangesforsquertversion150) - - ## Description -SQueRT is a tool that is used to query event data - -## Requirements - -* Sguil 0.9.0 [http://sguil.net](http://sguil.net). If you use Security Onion [http://securityonion.blogspot.ca](http://securityonion.blogspot.ca) you can get everything setup rather quickly. - - -* PHP55 with CLI - * mysql -* TCL, TclX - * mysqltcl - * uri - * ftp - * ftp::geturl - * md5 -* MySQL client - -## Upgrade - -You will need to run these commands: - -`mysql> ALTER TABLE filters ADD type VARCHAR(16) FIRST;` - -`mysql> ALTER TABLE filters ADD INDEX type (type);` - -`mysql> UPDATE filters SET type = 'filter' WHERE type IS NULL;` - -## Install - -1) Extract the squert tarball to a web directory and rename it to "squert" - -2) Copy squert/.inc/config.php.sample to squert/.inc/config.php - -3) Edit squert/.inc/config.php to match your sguildb and sguild server settings - -4) IMPORTANT!! Edit your MySQL server settings to include the following directive: - -`group_concat_max_len = 100000` - -this should be placed in the "[mysqld]" section of my.cnf - -Also, - -The ip2c TCL scripts uses "LOAD DATA LOCAL INFILE" to dump the results into the database. -While most stock MySQL installs are compiled with this, they don't always allow it. - -Find the my.cnf that your client is using and add: - -`local-infile=1` - -to the client section. If you just have the client installed and you cant find this -file just create it in /etc and add: - -`[client]` -`local-infile=1` - -Lastly, - -You will need to add indexes to the sid and cid columns in Sguils history table: - -`mysql -N -B --user=root -p -e "CREATE INDEX sid ON history (sid);"` -`mysql -N -B --user=root -p -e "CREATE INDEX cid ON history (cid);"` - -Performance WILL suffer if you do not do this. - -5) Create additional tables: - -`cat squert/.scripts/squert.sql | mysql -uroot -p -U sguildb` - -6) Create a mysql user account for squert to access sguildb (what you set in step 3): - -`mysql -N -B --user=root -p -e "GRANT SELECT ON sguildb.* TO 'squert_user'@'localhost' IDENTIFIED BY 'apassword';"` - -7) Give this user privileges to the ip2c table: - -`mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.ip2c TO 'squert_user'@'localhost';"` - -8) Give this user privileges to the mappings table: - -`mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.mappings TO 'squert_user'@'localhost';"` - -9) Give this user privileges to the filters table: - -`mysql -N -B --user=root -p -e "GRANT INSERT,UPDATE,DELETE ON sguildb.filters TO 'squert_user'@'localhost';"` - -10) Give this user privileges to sguils user_info table: - -`mysql -N -B --user=root -p -e "GRANT UPDATE ON sguildb.user_info TO 'squert_user'@'localhost';"`; - -11) Now populate the ip2c table: - -`squert/.scripts/ip2c.tcl` - -12) Add an index to comment column in Sguils history table: - -`mysql -N -B --user=root -p -e "CREATE INDEX comment ON sguildb.history (comment(50));"` - -13) The readonly user needs DELETE access to sguils history table (to delete comments): - -`mysql -N -B --user=root -p -e "GRANT DELETE on sguildb.history to 'readonly'@'localhost';"` - -14) Create a scheduled task to keep the mappings tables up to date: - -`*/5 * * * * /usr/local/bin/php -e /usr/local/www/squert/.inc/ip2c.php 1 > /dev/null 2>&1` - -This entry updates the database every 5 minutes. Make sure you use the correct paths to php and ip2c.php. - -15) Create a scheduled task to keep the ip2c table up to date: - -`0 0 1 * * /.scripts/ip2c.tcl > /dev/null 2>&1` - -This entry updates the ip2c database on the first day of every month. +SQueRT is a tool that is used to query event data. -That's it. Point your browser to https://yourhost/squert +NOTE: SQueRT was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). +Thanks to Paul for all of his hard work over the years! +This is a fork of Paul's latest version that is maintained by the Security Onion team and includes modifications specific to Security Onion. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..af9b5a2 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,263 @@ +securityonion-squert (20161212-1ubuntu1securityonion44) xenial; urgency=medium + + * Squert: improve consistency of username handling Security-Onion-Solutions/security-onion#1643 + + -- Doug Burks Tue, 17 Sep 2019 16:07:37 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion43) xenial; urgency=medium + + * securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 + + -- Doug Burks Wed, 07 Aug 2019 19:39:24 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion42) xenial; urgency=medium + + * Squert: Priority counts incorrect #1277 + + -- Doug Burks Thu, 05 Jul 2018 07:06:30 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion41) xenial; urgency=medium + + * Issue 1259: Squert: turning grouping off results in no alerts + + -- Doug Burks Thu, 14 Jun 2018 13:36:43 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion40) xenial; urgency=medium + + * Issue 1169: Squert: remove search link from context menu + + -- Doug Burks Fri, 25 May 2018 08:21:46 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion39) xenial; urgency=medium + + * remove unnecessary code from ip2c.php + + -- Doug Burks Sat, 05 May 2018 06:28:57 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion38) xenial; urgency=medium + + * update mysql function calls in ip2c.php + + -- Doug Burks Fri, 04 May 2018 17:04:11 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion37) xenial; urgency=medium + + * fix for loop + + -- Doug Burks Thu, 03 May 2018 11:01:09 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion36) xenial; urgency=medium + + * iterate over all arrays when converting strings + + -- Doug Burks Thu, 03 May 2018 10:05:19 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion35) xenial; urgency=medium + + * frontend expects all values to be strings + + -- Doug Burks Thu, 03 May 2018 09:34:58 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion34) xenial; urgency=medium + + * disable mysql strict mode + + -- Doug Burks Wed, 02 May 2018 16:46:37 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion33) xenial; urgency=medium + + * fix auth + + -- Doug Burks Wed, 02 May 2018 14:56:49 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion32) xenial; urgency=medium + + * move files from elastic package + + -- Doug Burks Wed, 02 May 2018 13:42:37 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion31) xenial; urgency=medium + + * force disable autoindex + + -- Doug Burks Wed, 02 May 2018 09:14:41 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion30) xenial; urgency=medium + + * update mysql calls and config + + -- Doug Burks Tue, 01 May 2018 18:04:07 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion29) xenial; urgency=medium + + * change php5 to php + + -- Doug Burks Fri, 27 Apr 2018 15:39:16 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion28) trusty; urgency=medium + + * version 1.7.1 + + -- Doug Burks Fri, 09 Feb 2018 06:14:16 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion27) trusty; urgency=medium + + * add row for Bro agent + + -- Doug Burks Thu, 08 Feb 2018 19:57:56 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion26) trusty; urgency=medium + + * migrate login.php to prepared statements + + -- Doug Burks Sun, 21 Jan 2018 13:33:27 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion25) trusty; urgency=medium + + * allow pivot to ELSA or Elastic + + -- Doug Burks Fri, 19 Jan 2018 16:55:16 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion24) trusty; urgency=medium + + * improve callback.php and grant permission to autocat table + + -- Doug Burks Fri, 19 Jan 2018 16:11:02 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion23) trusty; urgency=medium + + * begin transition to pdo prepared statements + + -- Doug Burks Fri, 05 Jan 2018 18:03:20 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion22) trusty; urgency=medium + + * set version to 1.7.0 + + -- Doug Burks Wed, 03 Jan 2018 07:46:38 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion21) trusty; urgency=medium + + * move auth files to /opt/squert + + -- Doug Burks Wed, 03 Jan 2018 06:46:00 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion20) trusty; urgency=medium + + * fix postinst + + -- Doug Burks Tue, 02 Jan 2018 17:45:10 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion19) trusty; urgency=medium + + * improve postinst + + -- Doug Burks Tue, 02 Jan 2018 14:44:58 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion18) trusty; urgency=medium + + * fix install + + -- Doug Burks Mon, 01 Jan 2018 19:26:53 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion17) trusty; urgency=medium + + * improve calls to clicat + + -- Doug Burks Mon, 01 Jan 2018 17:00:23 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion16) trusty; urgency=medium + + * merge and adjust comment + + -- Doug Burks Thu, 21 Dec 2017 06:21:12 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion15) trusty; urgency=medium + + * improve input validation and output filtering + + -- Doug Burks Wed, 20 Dec 2017 15:38:21 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion14) trusty; urgency=medium + + * fix error in times function + + -- Doug Burks Fri, 18 Aug 2017 08:57:12 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion13) trusty; urgency=medium + + * Squert: comment search not working #1119 + + -- Doug Burks Thu, 17 Aug 2017 07:26:33 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion12) trusty; urgency=medium + + * Squert: ip2c avoid hard loop when file unavailable #1067 + + -- Doug Burks Sat, 21 Jan 2017 06:59:49 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion11) trusty; urgency=medium + + * bump version to 1.6.4 + + -- Doug Burks Sat, 21 Jan 2017 05:18:59 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + + * Squert: error when removing comment #1066 + + -- Doug Burks Sat, 21 Jan 2017 05:06:53 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion9) trusty; urgency=medium + + * initialize srcd, dstd, and alld in callback.php + + -- Doug Burks Fri, 16 Dec 2016 10:06:58 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion8) trusty; urgency=medium + + * Squert: OSSEC HIDS alerts display NIDS rules #958 + + -- Doug Burks Fri, 16 Dec 2016 09:09:13 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion7) trusty; urgency=medium + + * populate empty hash fields + + -- Doug Burks Wed, 14 Dec 2016 10:53:03 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion6) trusty; urgency=medium + + * add hash to object_mappings table + + -- Doug Burks Wed, 14 Dec 2016 09:41:28 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion5) trusty; urgency=medium + + * fix ip2c.php + + -- Doug Burks Mon, 12 Dec 2016 17:31:29 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion4) trusty; urgency=medium + + * disable ip2c.php + + -- Doug Burks Mon, 12 Dec 2016 16:45:49 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion3) trusty; urgency=medium + + * update path in clicat.tcl + + -- Doug Burks Mon, 12 Dec 2016 16:35:50 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion2) trusty; urgency=medium + + * add config.php + + -- Doug Burks Mon, 12 Dec 2016 16:16:31 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion1) trusty; urgency=low + + * Initial release + + -- Doug Burks Mon, 12 Dec 2016 15:49:09 -0500 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..be27171 --- /dev/null +++ b/debian/control @@ -0,0 +1,15 @@ +Source: securityonion-squert +Section: net +Priority: extra +Maintainer: Doug Burks +Build-Depends: debhelper (>= 8.0.0) +Standards-Version: 3.9.3 +Homepage: http://www.squertproject.org/ +#Vcs-Git: git://git.debian.org/collab-maint/securityonion-squert.git +#Vcs-Browser: http://git.debian.org/?p=collab-maint/securityonion-squert.git;a=summary + +Package: securityonion-squert +Architecture: all +Depends: ${misc:Depends}, apache2, patch, php, libapache2-mod-php, php-mysql, php-cli, php-gd, mysqltcl, mysql-server, mysql-client, graphviz, libtext-csv-perl, tclcurl +Description: squert + Squert is a web interface for the Sguil database. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..da1f14d --- /dev/null +++ b/debian/copyright @@ -0,0 +1,36 @@ +Format: http://dep.debian.net/deps/dep5 +Upstream-Name: securityonion-squert +Source: + +Files: * +Copyright: + +License: + + + . + + +# If you want to use GPL v2 or later for the /debian/* files use +# the following clauses, or change it to suit. Delete these two lines +Files: debian/* +Copyright: 2014 Doug Burks +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +# Please also look if there are files or directories which have a +# different copyright/license attached and list them here. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README.md diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..19c9401 --- /dev/null +++ b/debian/install @@ -0,0 +1,8 @@ +.css var/www/so/squert/ +.flags var/www/so/squert/ +.inc var/www/so/squert/ +index.php var/www/so/squert/ +login.php var/www/so/squert/ +.js var/www/so/squert/ +.scripts var/www/so/squert/ +.scripts/securityonion-squert.cnf etc/mysql/conf.d/ diff --git a/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu b/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu new file mode 100644 index 0000000..b66379b --- /dev/null +++ b/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu @@ -0,0 +1,88 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion40) xenial; urgency=medium + . + * Issue 1169: Squert: remove search link from context menu +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.js/squertMain.js ++++ securityonion-squert-20161212/.js/squertMain.js +@@ -2013,12 +2013,13 @@ $(document).ready(function(){ + var objhex = s2h(suffix); + var tbl = '', row = ''; + // Local stuff first ++ // Commented out SEARCH row to reduce pivot + switch (prefix[prefix.length - 1]) { + case "c": + row += ":: SRC or DST"; + row += ":: SRC"; + row += ":: DST"; +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "p": + row += ":: SRC or DST"; +@@ -2028,7 +2029,7 @@ $(document).ready(function(){ + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + row += ":: COLOUR  "; + row += ""; + row += "apply"; +@@ -2038,14 +2039,14 @@ $(document).ready(function(){ + case "t": + row += ":: SRC"; + row += ":: DST"; +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "d": + row += ":: SIGNATURE"; + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "l": + row += ":: COLOUR  "; +@@ -2054,7 +2055,7 @@ $(document).ready(function(){ + doexternals = "no"; + break; + case "z": +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + } + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.1©2016 Paul Halliday
++
Version 1.8.0©2016 Paul Halliday
+ + + diff --git a/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts b/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts new file mode 100644 index 0000000..c806b48 --- /dev/null +++ b/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts @@ -0,0 +1,49 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion41) xenial; urgency=medium + . + * Issue 1259: Squert: turning grouping off results in no alerts +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -498,6 +498,10 @@ function level2a() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$i +

+ + +-
Version 1.8.0©2016 Paul Halliday
++
Version 1.8.1©2016 Paul Halliday
+ + + diff --git a/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 b/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 new file mode 100644 index 0000000..db29a56 --- /dev/null +++ b/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 @@ -0,0 +1,148 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion8) trusty; urgency=medium + . + * Squert: OSSEC HIDS alerts display NIDS rules #958 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -113,61 +113,59 @@ function signatures() { + $wasMatched = 0; + $dirs = explode("||",$rulePath); + +- if ( $gID > 100 ) { +- $dc = 0; +- $wasMatched = 2; ++ if ( $gID == 10001 ) { ++ $result = array("ruletxt" => "Generator ID $gID. OSSEC rules can be found in /var/ossec/rules/.", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); ++ } elseif ( $gID != 1 && $gID != 3 ) { ++ $result = array("ruletxt" => "Generator ID $gID. This event belongs to a preprocessor or decoder.", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); + } else { +- $dc = (count($dirs) - 1); +- } +- +- for ($i = 0; $i <= $dc; $i++) +- if ($ruleDir = opendir($dirs[$i])) { +- while (false !== ($ruleFile = readdir($ruleDir))) { +- if ($ruleFile != "." && $ruleFile != "..") { +- $ruleLines = file("$dirs[$i]/$ruleFile"); +- $lineNumber = 1; +- +- foreach($ruleLines as $line) { +- +- $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); +- +- if($searchCount > 0) { +- $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); +- +- $line = urlMkr(htmlspecialchars($line)); +- +- $result = array("ruletxt" => $line, +- "rulefile" => $ruleFile, +- "ruleline" => $lineNumber, +- ); +- $wasMatched = 1; +- break; +- } +- $lineNumber++; +- } +- } +- } +- +- closedir($ruleDir); +- } +- +- if ($wasMatched == 0) { +- $result = array("ruletxt" => "No match for signature ID $sigID", +- "rulefile" => "n/a", +- "ruleline" => "n/a", +- ); +- } +- +- if ($wasMatched == 2) { +- $result = array("ruletxt" => "Generator ID > 100. This event belongs to a preprocessor or the decoder. Generator ID: $gID ", +- "rulefile" => "n/a", +- "ruleline" => "n/a", +- ); ++ $dc = (count($dirs) - 1); ++ for ($i = 0; $i <= $dc; $i++) ++ if ($ruleDir = opendir($dirs[$i])) { ++ while (false !== ($ruleFile = readdir($ruleDir))) { ++ if ($ruleFile != "." && $ruleFile != "..") { ++ $ruleLines = file("$dirs[$i]/$ruleFile"); ++ $lineNumber = 1; ++ ++ foreach($ruleLines as $line) { ++ ++ $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); ++ ++ if($searchCount > 0) { ++ $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); ++ ++ $line = urlMkr(htmlspecialchars($line)); ++ ++ $result = array("ruletxt" => $line, ++ "rulefile" => $ruleFile, ++ "ruleline" => $lineNumber, ++ ); ++ $wasMatched = 1; ++ break; ++ } ++ $lineNumber++; ++ } ++ } ++ } ++ ++ closedir($ruleDir); ++ } ++ ++ if ($wasMatched == 0) { ++ $result = array("ruletxt" => "No match for signature ID $sigID", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); ++ } + } + + $theJSON = json_encode($result); + echo $theJSON; +- + } + + function level0() { +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.1©2016 Paul Halliday
++
Version 1.6.2©2016 Paul Halliday
+ + + diff --git a/debian/patches/Squert:-Priority-counts-incorrect-#1277 b/debian/patches/Squert:-Priority-counts-incorrect-#1277 new file mode 100644 index 0000000..55bb366 --- /dev/null +++ b/debian/patches/Squert:-Priority-counts-incorrect-#1277 @@ -0,0 +1,49 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion42) xenial; urgency=medium + . + * Squert: Priority counts incorrect #1277 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -325,6 +325,10 @@ function level0() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$iexecute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$i + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion13) trusty; urgency=medium + . + * Squert: comment search not working #1119 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -174,9 +174,9 @@ function level0() { + $filter = hextostr($_REQUEST['filter']); + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { +- $comment = mysql_real_escape_string(explode('cmt ', $filter)); ++ $comment = explode('cmt ', $filter); + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; ++ WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; + } else { + // this needs to be fixed + $filter = str_replace('<','<', $filter); +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.4©2016 Paul Halliday
++
Version 1.6.5©2016 Paul Halliday
+ + + diff --git a/debian/patches/Squert:-error-when-removing-comment-#1066 b/debian/patches/Squert:-error-when-removing-comment-#1066 new file mode 100644 index 0000000..a0c203c --- /dev/null +++ b/debian/patches/Squert:-error-when-removing-comment-#1066 @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + . + * Squert: error when removing comment #1066 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -724,7 +724,7 @@ function remove_comment() { + $user = $_SESSION['sUser']; + $comment = hextostr($_REQUEST['comment']); + $comment = mysql_real_escape_string($comment); +- $query = "DELETE FROM sguildb.history WHERE comment = '$comment'"; ++ $query = "DELETE FROM history WHERE comment = '$comment'"; + mysql_query($query); + $result = mysql_error(); + $return = array("msg" => $result); diff --git a/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 b/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 new file mode 100644 index 0000000..7e53bcd --- /dev/null +++ b/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 @@ -0,0 +1,45 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion44) xenial; urgency=medium + . + * Squert: improve consistency of username handling Security-Onion-Solutions/security-onion#1643 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -82,7 +82,7 @@ function cleanUp($string) { + } + + // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { ++ if ( isset($userName) && strtolower($username) == strtolower($userName) ) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.8.1©2016 Paul Halliday
++
Version 1.8.2©2016 Paul Halliday
+ + + diff --git a/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 b/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 new file mode 100644 index 0000000..e76f95b --- /dev/null +++ b/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 @@ -0,0 +1,37 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion12) trusty; urgency=medium + . + * Squert: ip2c avoid hard loop when file unavailable #1067 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/ip2c.tcl ++++ securityonion-squert-20161212/.scripts/ip2c.tcl +@@ -403,8 +403,7 @@ if {$fail == "no"} { + set x [expr $x - 1] + } + } else { +- puts "Checksum not found. Retrying..\n" +- set x [expr $x - 1] ++ puts "Checksum not found. Skipping..\n" + } + } + diff --git a/debian/patches/add-config.php b/debian/patches/add-config.php new file mode 100644 index 0000000..9b363b1 --- /dev/null +++ b/debian/patches/add-config.php @@ -0,0 +1,70 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion2) trusty; urgency=medium + . + * add config.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.inc/config.php +@@ -0,0 +1,42 @@ ++ 'system', ++// \Guzzle\Http\Client::CURL_OPTIONS => [ ++// CURLOPT_SSL_VERIFYPEER => true, ++// CURLOPT_CAINFO => '/etc/ssl/elasticsearch/es.pem', ++// CURLOPT_SSLCERTTYPE => 'PEM', ++// ] ++//); ++ ++//$clientparams['connectionParams']['auth'] = array( ++// 'username', // Username ++// 'password', // Password ++// 'Basic' // Auth: Basic, Digest, NTLM, Any ++//); ++ ++// Where are the rules? If you have multiple dirs, separate each with: || ++$rulePath = "/etc/nsm/rules"; ++?> diff --git a/debian/patches/add-hash-to-object_mappings-table b/debian/patches/add-hash-to-object_mappings-table new file mode 100644 index 0000000..04fddc1 --- /dev/null +++ b/debian/patches/add-hash-to-object_mappings-table @@ -0,0 +1,57 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion6) trusty; urgency=medium + . + * add hash to object_mappings table +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sh ++++ securityonion-squert-20161212/.scripts/securityonion_update.sh +@@ -44,6 +44,15 @@ if [ -d /var/lib/mysql/securityonion_db/ + $MYSQL "UPDATE filters SET type = 'filter' WHERE type IS NULL;;" + fi + ++ # object_mappings table - hash ++ if $MYSQL "DESCRIBE object_mappings" | grep hash >/dev/null 2>&1 ; then ++ echo "object_mappings table already has hash field." ++ else ++ echo "Adding hash field to object_mappings table." ++ $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" ++ $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" ++ fi ++ + # Idempotent operations + cat /var/www/so/squert/.scripts/securityonion_update.sql | mysql --defaults-file=/etc/mysql/debian.cnf -U securityonion_db > /var/log/nsm/squert_update.log + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sql ++++ securityonion-squert-20161212/.scripts/securityonion_update.sql +@@ -69,9 +69,10 @@ CREATE TABLE IF NOT EXISTS object_mappin + type VARCHAR(4), + object VARCHAR(255), + value VARCHAR(255), ++ hash CHAR(32), + INDEX type (type), + INDEX object (object), +- PRIMARY KEY (type,object) ++ PRIMARY KEY (hash) + ); + + CREATE TABLE IF NOT EXISTS filters diff --git a/debian/patches/add-row-for-Bro-agent b/debian/patches/add-row-for-Bro-agent new file mode 100644 index 0000000..113a747 --- /dev/null +++ b/debian/patches/add-row-for-Bro-agent @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion27) trusty; urgency=medium + . + * add row for Bro agent +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -619,6 +619,8 @@ function payload() { + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; ++ // Add the row again for Bro agent ++ $rows[] = $row[0]; + } + $theJSON = json_encode($rows); + echo $theJSON; diff --git a/debian/patches/add-securityonion-squert.cnf b/debian/patches/add-securityonion-squert.cnf new file mode 100644 index 0000000..569cc07 --- /dev/null +++ b/debian/patches/add-securityonion-squert.cnf @@ -0,0 +1,33 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion1) trusty; urgency=low + . + * Initial release +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -0,0 +1,5 @@ ++[mysqld] ++group_concat_max_len = 100000 ++ ++[mysqltcl] ++local-infile=1 diff --git a/debian/patches/allow-pivot-to-elsa-or-elastic b/debian/patches/allow-pivot-to-elsa-or-elastic new file mode 100644 index 0000000..41c1c21 --- /dev/null +++ b/debian/patches/allow-pivot-to-elsa-or-elastic @@ -0,0 +1,53 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion25) trusty; urgency=medium + . + * allow pivot to ELSA or Elastic +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_create_elsa_link.sh ++++ securityonion-squert-20161212/.scripts/securityonion_create_elsa_link.sh +@@ -4,6 +4,8 @@ MYSQL="mysql --defaults-file=/etc/mysql/ + + if [ -d /var/lib/mysql/securityonion_db/ ]; then + ++ # Configure Squert to pivot to ELSA or Elastic for lookups. ++ + # ELSA lookup + if grep "ELSA=YES" /etc/nsm/securityonion.conf >/dev/null 2>&1; then + if grep "pcap_url" /etc/elsa_web.conf >/dev/null 2>&1; then +@@ -14,4 +16,16 @@ if [ -d /var/lib/mysql/securityonion_db/ + fi + fi + ++ # Elastic lookup ++ if grep 'KIBANA_ENABLED="yes"' /etc/nsm/securityonion.conf >/dev/null 2>&1; then ++ # Remove ELSA link from Squert ++ mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'delete from filters where alias="ELSA";' ++ # Add Elastic link to Squert ++ ALIAS="Kibana" ++ HEXALIAS=$(xxd -pu -c 256 <<< "$ALIAS") ++ URL="/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\"\${var}\"')),sort:!('@timestamp',desc))" ++ HEXURL=$(xxd -pu -c 356 <<< "$URL") ++ $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','$HEXALIAS','','$ALIAS','$HEXURL');" ++ fi ++ + fi diff --git a/debian/patches/begin-transition-to-pdo-prepared-statements b/debian/patches/begin-transition-to-pdo-prepared-statements new file mode 100644 index 0000000..324792d --- /dev/null +++ b/debian/patches/begin-transition-to-pdo-prepared-statements @@ -0,0 +1,269 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion23) trusty; urgency=medium + . + * begin transition to pdo prepared statements +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -9,10 +9,20 @@ if (!(isset($_SESSION['sLogin']) && $_SE + $base = dirname(__FILE__); + include_once "$base/config.php"; + include_once "$base/functions.php"; +- ++// original database connection info + $link = mysql_connect($dbHost,$dbUser,$dbPass); + $db = mysql_select_db($dbName,$link); +- ++// PDO prepared statements ++try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++} catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++} + $type = $_REQUEST['type']; + + $types = array( +@@ -43,10 +53,12 @@ $types = array( + ); + + $type = $types[$type]; ++//error_log("type is $type"); + + if (isset($_REQUEST['ts'])) { + // Need EC + $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); ++ //$tsParts = explode("|", hextostr($_REQUEST['ts'])); + $sdate = $tsParts[0]; + $edate = $tsParts[1]; + $stime = $tsParts[2]; +@@ -55,15 +67,43 @@ if (isset($_REQUEST['ts'])) { + $start = "CONVERT_TZ('$sdate $stime','$offset','+00:00')"; + $end = "CONVERT_TZ('$edate $etime','$offset','+00:00')"; + $when = "event.timestamp BETWEEN $start AND $end"; ++ // combine start date and start time for prepared statements ++ $sdatetime = "$sdate $stime"; ++ // combine end date and end time for prepared statements ++ $edatetime = "$edate $etime"; + } + ++// user can specify sensors + if (isset($_REQUEST['sensors'])) { + $sensors = hextostr($_REQUEST['sensors']); + if ($sensors == 'empty') { + $sensors = ''; ++ $sensorsclean = ''; ++ $in = ''; ++ $sensor_params = array(); ++ } else { ++ // $sensors looks like this: ++ // AND event.sid IN('3','1') ++ // let's clean that up so we can use prepared statements ++ $sensorsclean = ltrim($sensors, 'AND event.sid IN('); ++ $sensorsclean = rtrim($sensorsclean, ')'); ++ $sensorsclean = str_replace("'","", $sensorsclean); ++ // now we need to dynamically build IN for prepared statement based on: ++ // https://phpdelusions.net/pdo#like ++ $ids = explode(",", $sensorsclean); ++ $in = ""; ++ foreach ($ids as $i => $item) ++ { ++ $key = ":id".$i; ++ $in .= "$key,"; ++ $sensor_params[$key] = $item; // collecting values into key-value array ++ } ++ $in = rtrim($in,","); // :id0,:id1,:id2 ++ $sensors = "AND event.sid IN($in)"; + } + } + ++// rt is the queue-only toggle on the left + if (isset($_REQUEST['rt'])) { + $rt = $_REQUEST['rt']; + if ($rt == 1) { +@@ -78,23 +118,26 @@ if (!$type) { + } + + function ec() { +- +- global $when, $sensors; +- +- $query = "SELECT COUNT(status) AS count, status +- FROM event +- LEFT JOIN sensor AS s ON event.sid = s.sid +- WHERE $when +- $sensors +- GROUP BY status"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // This function returns event count grouped by status. ++ // This is used to populate the numbers in the Classification section on the left side of the Events tab. ++ // This function has been updated to use PDO prepared statements. ++ global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; ++ ++ // build statement ++ $statement = "SELECT COUNT(status) AS count, status FROM event LEFT JOIN sensor AS s ON event.sid = s.sid ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ GROUP BY status;"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; ++ // execute the prepared statement and pass it the local params array and the sensor_params array ++ $query->execute(array_merge($params,$sensor_params)); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } +@@ -169,42 +212,86 @@ function signatures() { + } + + function level0() { +- global $offset, $when, $sensors, $rt; +- $sv = mysql_real_escape_string($_REQUEST['sv']); ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensorsclean, $sensor_params, $dbpdo; ++ // $sv is for sorting. For example: DESC ++ // this cannot be done via prepared statement, so we use a whitelist approach ++ $sv = mysql_real_escape_string($_REQUEST['sv']) == 'DESC' ? 'DESC' : 'ASC'; + $filter = hextostr($_REQUEST['filter']); ++ // $filter comes from the filter box in the upper right corner of the Events tab. Default: empty + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { ++ // user entered cmt into the filter box ++ // pull their filter out and place it into the prepared statement array + $comment = explode('cmt ', $filter); ++ $filtercmt = mysql_real_escape_string($comment[1]); + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; ++ WHERE history.comment = :filtercmt"; ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset", ":filtercmt" => "$filtercmt"]; + } else { ++ // if the user didn't enter cmt, then they may be using one of the built-in filters ++ // for example, if the user wants to search for alerts with src or dst ip in US: ++ // cc us ++ // we'll then receive the following: ++ // (msrc.cc = 'us' OR mdst.cc = 'us') ++ // the general strategy is to try to match this with one of the built-in filters to ensure validity ++ // then build a prepared statement + // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; ++ // find whatever is enclosed in single ticks and replace with $ ++ $exploded=explode("'",$filter); ++ $filtervar=$exploded[1]; ++ $compfilter = str_replace($filtervar, '$', $filter); ++ // retrieve all valid filters from database ++ $statement="SELECT UNHEX(filter) from filters where type='filter';"; ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(); ++ $rows = $query->fetchAll(PDO::FETCH_BOTH); ++ // search for user filter in list of valid filters ++ $newfilter = ""; ++ foreach ($rows as $row) { ++ if ( "$compfilter" == "$row[0]" ) { ++ $newfilter = $row[0]; ++ $i=0; ++ while (strpos($newfilter, "'\$'") !== false) { ++ $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); ++ $params[":filtervar$i"] = $filtervar; ++ $i++; ++ } ++ $filter = "AND " . $newfilter; ++ } ++ } ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $filter + $rt"; + } + } else { +- $qp2 = "WHERE $when ++ // filter box was empty so we'll just build a prepared statement using sensors and rt values ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $rt"; ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; + } + +- $query = "SELECT COUNT(event.signature) AS f1, ++ // build statement ++ $statement="SELECT COUNT(event.signature) AS f1, + event.signature AS f2, + event.signature_id AS f3, + event.signature_gen AS f4, +- MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS f5, ++ MAX(CONVERT_TZ(event.timestamp,'+00:00',:maxoffset)) AS f5, + COUNT(DISTINCT(event.src_ip)) AS f6, + COUNT(DISTINCT(event.dst_ip)) AS f7, + event.ip_proto AS f8, + GROUP_CONCAT(DISTINCT(event.status)) AS f9, + GROUP_CONCAT(DISTINCT(event.sid)) AS f10, + GROUP_CONCAT(event.status) AS f11, +- GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, ++ GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset),12,2)) AS f12, + event.priority AS f13, + GROUP_CONCAT(DISTINCT(src_tag.value)) AS f14, + GROUP_CONCAT(DISTINCT(dst_tag.value)) AS f15 +@@ -216,13 +303,14 @@ function level0() { + $qp2 + GROUP BY f3 + ORDER BY f5 $sv"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement and pass it the local params array and the sensor_params array ++ $query->execute(array_merge($params,$sensor_params)); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } diff --git a/debian/patches/bump-version-to-1.6.4 b/debian/patches/bump-version-to-1.6.4 new file mode 100644 index 0000000..92485f5 --- /dev/null +++ b/debian/patches/bump-version-to-1.6.4 @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion11) trusty; urgency=medium + . + * bump version to 1.6.4 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.3©2016 Paul Halliday
++
Version 1.6.4©2016 Paul Halliday
+ + + diff --git a/debian/patches/disable-ip2c.php b/debian/patches/disable-ip2c.php new file mode 100644 index 0000000..770e7c5 --- /dev/null +++ b/debian/patches/disable-ip2c.php @@ -0,0 +1,41 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion4) trusty; urgency=medium + . + * disable ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -125,6 +125,7 @@ function IP2C($string,$isCLI) { + + } + ++/* + function TheHTML($string) { + + echo "\r +@@ -170,4 +171,5 @@ if (isset($argc)) { + TheHTML($string); + echo $html; + } ++*/ + ?> diff --git a/debian/patches/disable-mysql-strict-mode b/debian/patches/disable-mysql-strict-mode new file mode 100644 index 0000000..7bd4458 --- /dev/null +++ b/debian/patches/disable-mysql-strict-mode @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion34) xenial; urgency=medium + . + * disable mysql strict mode +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,6 +1,6 @@ + [mysqld] + group_concat_max_len = 100000 +-sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION ++sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] + local-infile=1 diff --git a/debian/patches/fix-auth b/debian/patches/fix-auth new file mode 100644 index 0000000..5bd6dde --- /dev/null +++ b/debian/patches/fix-auth @@ -0,0 +1,6915 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion33) xenial; urgency=medium + . + * fix auth +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ /dev/null +@@ -1,158 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- // sso +- //$username = $_SERVER['PHP_AUTH_USER']; +- //$password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- // PDO prepared statements +- try { +- // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ +- PDO::ATTR_EMULATE_PREPARES => false, +- PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, +- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION +- ]); +- } catch(PDOException $e){ +- // if connection fails, log PDO error. +- error_log("Error connecting to mysql: ". $e->getMessage()); +- } +- +- if (isset($dbpdo)) { +- // prepare statement +- $statement = "SELECT * FROM user_info WHERE username = :user"; +- $query = $dbpdo->prepare("$statement"); +- // build parameters for prepared statement +- $params = [":user" => "$username"]; +- // execute the prepared statement and pass it params +- $query->execute($params); +- // fetch the data +- while ($row = $query->fetch(PDO::FETCH_NUM)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- +- // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.7.1©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/auth/sso/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ /dev/null +@@ -1,158 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- // sso +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- // PDO prepared statements +- try { +- // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ +- PDO::ATTR_EMULATE_PREPARES => false, +- PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, +- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION +- ]); +- } catch(PDOException $e){ +- // if connection fails, log PDO error. +- error_log("Error connecting to mysql: ". $e->getMessage()); +- } +- +- if (isset($dbpdo)) { +- // prepare statement +- $statement = "SELECT * FROM user_info WHERE username = :user"; +- $query = $dbpdo->prepare("$statement"); +- // build parameters for prepared statement +- $params = [":user" => "$username"]; +- // execute the prepared statement and pass it params +- $query->execute($params); +- // fetch the data +- while ($row = $query->fetch(PDO::FETCH_NUM)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- +- // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.7.1©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + diff --git a/debian/patches/fix-error-in-times-function b/debian/patches/fix-error-in-times-function new file mode 100644 index 0000000..fb032ba --- /dev/null +++ b/debian/patches/fix-error-in-times-function @@ -0,0 +1,75 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion14) trusty; urgency=medium + . + * fix error in times function +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -1483,26 +1483,34 @@ function times() { + global $offset, $when, $sensors; + $filter = hextostr($_REQUEST['filter']); + if ($filter != 'empty') { ++ if (substr($filter, 0,4) == 'cmt ') { ++ $comment = explode('cmt ', $filter); ++ $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid ++ WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' ++ AND $when $sensors"; ++ } else { ++ // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); + $filter = "AND " . $filter; + $qp2 = "WHERE $when + $sensors + $filter"; ++ } + } else { + $qp2 = "WHERE $when + $sensors"; + } + + $query = "SELECT +- SUBSTRING(CONVERT_TZ(timestamp,'+00:00','$offset'),12,5) AS time, ++ SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, + COUNT(signature) AS count + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip + $qp2 + GROUP BY time +- ORDER BY timestamp"; ++ ORDER BY event.timestamp"; + $result = mysql_query($query); + $rows = array(); + $r = $m = 0; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.5©2016 Paul Halliday
++
Version 1.6.6©2016 Paul Halliday
+ + + diff --git a/debian/patches/fix-for-loop b/debian/patches/fix-for-loop new file mode 100644 index 0000000..d49a09b --- /dev/null +++ b/debian/patches/fix-for-loop @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion37) xenial; urgency=medium + . + * fix for loop +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -444,7 +444,7 @@ function level2() { + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion5) trusty; urgency=medium + . + * fix ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -126,6 +126,10 @@ function IP2C($string,$isCLI) { + } + + /* ++ ++Commenting out the following function per ++https://github.com/int13h/squert/issues/76 ++ + function TheHTML($string) { + + echo "\r +@@ -143,6 +147,7 @@ function TheHTML($string) { + \r + \r"; + } ++*/ + + if (isset($argc)) { + +@@ -171,5 +176,4 @@ if (isset($argc)) { + TheHTML($string); + echo $html; + } +-*/ + ?> diff --git a/debian/patches/frontend-expects-all-values-to-be-strings b/debian/patches/frontend-expects-all-values-to-be-strings new file mode 100644 index 0000000..2ac0f08 --- /dev/null +++ b/debian/patches/frontend-expects-all-values-to-be-strings @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion35) xenial; urgency=medium + . + * frontend expects all values to be strings +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -442,6 +442,8 @@ function level2() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ $rows[0] = array_map('strval', $rows[0]); + $theJSON = json_encode($rows); + echo $theJSON; + diff --git a/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table b/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table new file mode 100644 index 0000000..152c02f --- /dev/null +++ b/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table @@ -0,0 +1,1680 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion24) trusty; urgency=medium + . + * improve callback.php and grant permission to autocat table +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -9,14 +9,12 @@ if (!(isset($_SESSION['sLogin']) && $_SE + $base = dirname(__FILE__); + include_once "$base/config.php"; + include_once "$base/functions.php"; +-// original database connection info +-$link = mysql_connect($dbHost,$dbUser,$dbPass); +-$db = mysql_select_db($dbName,$link); + // PDO prepared statements + try { + // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8", "$dbUser", "$dbPass", [ ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); + } catch(PDOException $e){ +@@ -53,12 +51,10 @@ $types = array( + ); + + $type = $types[$type]; +-//error_log("type is $type"); + + if (isset($_REQUEST['ts'])) { + // Need EC +- $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); +- //$tsParts = explode("|", hextostr($_REQUEST['ts'])); ++ $tsParts = explode("|", hextostr($_REQUEST['ts'])); + $sdate = $tsParts[0]; + $edate = $tsParts[1]; + $stime = $tsParts[2]; +@@ -74,13 +70,14 @@ if (isset($_REQUEST['ts'])) { + } + + // user can specify sensors ++$sensors = ''; ++$sensorsclean = ''; ++$in = ''; ++$sensor_params = array(); + if (isset($_REQUEST['sensors'])) { + $sensors = hextostr($_REQUEST['sensors']); + if ($sensors == 'empty') { + $sensors = ''; +- $sensorsclean = ''; +- $in = ''; +- $sensor_params = array(); + } else { + // $sensors looks like this: + // AND event.sid IN('3','1') +@@ -91,7 +88,6 @@ if (isset($_REQUEST['sensors'])) { + // now we need to dynamically build IN for prepared statement based on: + // https://phpdelusions.net/pdo#like + $ids = explode(",", $sensorsclean); +- $in = ""; + foreach ($ids as $i => $item) + { + $key = ":id".$i; +@@ -103,13 +99,89 @@ if (isset($_REQUEST['sensors'])) { + } + } + +-// rt is the queue-only toggle on the left +-if (isset($_REQUEST['rt'])) { +- $rt = $_REQUEST['rt']; +- if ($rt == 1) { +- $rt = "AND event.status = 0"; ++// rt is the queue-only toggle on the left side of the EVENTS tab ++$rt = ""; ++if (isset($_REQUEST['rt']) && $_REQUEST['rt'] == 1) { ++ $rt = "AND event.status = 0"; ++} ++ ++// $sv is for sorting. For example: DESC ++// this cannot be done via prepared statement, so we use a whitelist approach ++$sv = ""; ++if (isset($_REQUEST['sv'])) { ++ $sv = $_REQUEST['sv'] == 'DESC' ? 'DESC' : 'ASC'; ++} ++ ++// many functions below rely on filters so let's build that out now ++if (isset($_REQUEST['filter'])) { ++ $filter = hextostr($_REQUEST['filter']); ++ // $filter comes from the filter box in the upper right corner of the EVENTS tab. Default: empty ++ if ($filter != 'empty') { ++ if (substr($filter, 0,4) == 'cmt ') { ++ // user entered cmt into the filter box ++ // pull their filter out and place it into the prepared statement array ++ $comment = explode('cmt ', $filter); ++ $filtercmt = $comment[1]; ++ $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid ++ WHERE history.comment = :filtercmt"; ++ // build parameters for prepared statement ++ $qp2_params = [":filtercmt" => "$filtercmt"]; ++ } else { ++ // if the user didn't enter cmt, then they may be using one of the built-in filters ++ // for example, if the user wants to search for alerts with src or dst ip in US: ++ // cc us ++ // we'll then receive the following: ++ // (msrc.cc = 'us' OR mdst.cc = 'us') ++ // the general strategy is to try to match this with one of the built-in filters to ensure validity ++ // then build a prepared statement ++ // this needs to be fixed ++ $filter = str_replace('<','<', $filter); ++ $filter = str_replace('>','>', $filter); ++ // build parameters for prepared statement ++ $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; ++ // find whatever is enclosed in single ticks and replace with $ ++ $exploded=explode("'",$filter); ++ $filtervar=$exploded[1]; ++ $compfilter = str_replace($filtervar, '$', $filter); ++ // retrieve all valid filters from database ++ $statement="SELECT UNHEX(filter) from filters where type='filter';"; ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(); ++ $rows = $query->fetchAll(PDO::FETCH_BOTH); ++ // search for user filter in list of valid filters ++ $newfilter = ""; ++ $filter = ""; ++ // "signature LIKE" is a special case ++ if ( "$compfilter" == "(signature LIKE '$' OR signature LIKE '$')" ) { ++ $filter = "AND (signature LIKE :filtervar1 OR signature LIKE :filtervar2)"; ++ $qp2_params[":filtervar1"] = "%$filtervar%"; ++ $qp2_params[":filtervar2"] = "%$filtervar%"; ++ } else { ++ foreach ($rows as $row) { ++ if ( "$compfilter" == "$row[0]" ) { ++ $newfilter = $row[0]; ++ $i=0; ++ while (strpos($newfilter, "'\$'") !== false) { ++ $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); ++ $qp2_params[":filtervar$i"] = $filtervar; ++ $i++; ++ } ++ $filter = "AND " . $newfilter; ++ } ++ } ++ } ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ $filter ++ $rt"; ++ } + } else { +- $rt = ""; ++ // filter box was empty so we'll just build a prepared statement using sensors and rt values ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ $rt"; ++ // build parameters for prepared statement ++ $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + } + } + +@@ -119,7 +191,7 @@ if (!$type) { + + function ec() { + // This function returns event count grouped by status. +- // This is used to populate the numbers in the Classification section on the left side of the Events tab. ++ // This is used to populate the numbers in the Classification section on the left side of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; + +@@ -212,73 +284,9 @@ function signatures() { + } + + function level0() { ++ // This function returns the aggegrated event data in the main section of the EVENTS tab. + // This function has been updated to use PDO prepared statements. +- global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensorsclean, $sensor_params, $dbpdo; +- // $sv is for sorting. For example: DESC +- // this cannot be done via prepared statement, so we use a whitelist approach +- $sv = mysql_real_escape_string($_REQUEST['sv']) == 'DESC' ? 'DESC' : 'ASC'; +- $filter = hextostr($_REQUEST['filter']); +- // $filter comes from the filter box in the upper right corner of the Events tab. Default: empty +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- // user entered cmt into the filter box +- // pull their filter out and place it into the prepared statement array +- $comment = explode('cmt ', $filter); +- $filtercmt = mysql_real_escape_string($comment[1]); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = :filtercmt"; +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset", ":filtercmt" => "$filtercmt"]; +- } else { +- // if the user didn't enter cmt, then they may be using one of the built-in filters +- // for example, if the user wants to search for alerts with src or dst ip in US: +- // cc us +- // we'll then receive the following: +- // (msrc.cc = 'us' OR mdst.cc = 'us') +- // the general strategy is to try to match this with one of the built-in filters to ensure validity +- // then build a prepared statement +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; +- // find whatever is enclosed in single ticks and replace with $ +- $exploded=explode("'",$filter); +- $filtervar=$exploded[1]; +- $compfilter = str_replace($filtervar, '$', $filter); +- // retrieve all valid filters from database +- $statement="SELECT UNHEX(filter) from filters where type='filter';"; +- $query = $dbpdo->prepare("$statement"); +- $query->execute(); +- $rows = $query->fetchAll(PDO::FETCH_BOTH); +- // search for user filter in list of valid filters +- $newfilter = ""; +- foreach ($rows as $row) { +- if ( "$compfilter" == "$row[0]" ) { +- $newfilter = $row[0]; +- $i=0; +- while (strpos($newfilter, "'\$'") !== false) { +- $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); +- $params[":filtervar$i"] = $filtervar; +- $i++; +- } +- $filter = "AND " . $newfilter; +- } +- } +- $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') +- $sensors +- $filter +- $rt"; +- } +- } else { +- // filter box was empty so we'll just build a prepared statement using sensors and rt values +- $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') +- $sensors +- $rt"; +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; +- } +- ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // build statement + $statement="SELECT COUNT(event.signature) AS f1, + event.signature AS f2, +@@ -303,12 +311,18 @@ function level0() { + $qp2 + GROUP BY f3 + ORDER BY f5 $sv"; +- // debug +- //error_log("$statement"); ++ // add params for local part of statement ++ $local_params[':maxoffset'] = "$offset"; ++ $local_params[':groupoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); +- // execute the prepared statement and pass it the local params array and the sensor_params array +- $query->execute(array_merge($params,$sensor_params)); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); +@@ -316,39 +330,18 @@ function level0() { + } + + function level1() { +- +- global $offset, $when, $sensors, $rt; +- $sid = mysql_real_escape_string($_REQUEST['object']); +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND event.signature_id = '$sid'"; +- } else { +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- AND event.signature_id = '$sid' +- $filter +- $rt"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors +- AND event.signature_id = '$sid' +- $rt"; +- } +- +- // LEVEL 1 +- $query = "SELECT COUNT(event.signature) AS count, +- MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS maxTime, ++ // This function is called when the user clicks a number in the Queue column to drill into a group of aggregated events. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; ++ // sid is signature_id (snort/suricata ID, OSSEC rule ID, etc.) ++ $sid = $_REQUEST['object']; ++ // add sid to $qp2 and $qp2_params ++ $qp2 = "$qp2 ++ AND event.signature_id = :sid"; ++ $qp2_params[':sid'] = "$sid"; ++ // build statement ++ $statement = "SELECT COUNT(event.signature) AS count, ++ MAX(CONVERT_TZ(event.timestamp,'+00:00', :maxoffset)) AS maxTime, + INET_NTOA(event.src_ip) AS src_ip, + msrc.c_long AS src_cc, + INET_NTOA(event.dst_ip) AS dst_ip, +@@ -360,8 +353,8 @@ function level1() { + GROUP_CONCAT(event.sid) AS c_sid, + GROUP_CONCAT(event.cid) AS c_cid, + GROUP_CONCAT(event.status) AS c_status, +- GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5)) AS c_ts, +- GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, ++ GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00', :groupoffset1),12,5)) AS c_ts, ++ GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset2),12,2)) AS f12, + event.priority AS f13, + msrc.age AS src_age, + mdst.age AS dst_age, +@@ -377,58 +370,46 @@ function level1() { + $qp2 + GROUP BY event.src_ip, event.dst_ip + ORDER BY maxTime $sv"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':maxoffset'] = "$offset"; ++ $local_params[':groupoffset1'] = "$offset"; ++ $local_params[':groupoffset2'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function level2() { +- +- global $offset, $when, $sensors, $rt; +- $comp = mysql_real_escape_string($_REQUEST['object']); +- $filter = hextostr($_REQUEST['filter']); +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $adqp = mysql_real_escape_string(hextostr($_REQUEST['adqp'])); ++ // This function is called when the user clicks a number in the Queue column in the second level of aggregation. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $comp = $_REQUEST['object']; + list($ln,$sid,$src_ip,$dst_ip) = explode("-", $comp); + $src_ip = sprintf("%u", ip2long($src_ip)); + $dst_ip = sprintf("%u", ip2long($dst_ip)); + +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } else { +- $qp2 = "WHERE $when +- $sensors +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } +- } else { +- if ($adqp === "empty") { +- $adqp = ""; +- } +- $qp2 = "WHERE $when +- $sensors +- $adqp +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } +- +- $query = "SELECT event.status AS f1, +- CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, ++ // add sid, src_ip, and dst_ip to $qp2 and $qp2_params ++ $qp2 = "$qp2 ++ AND (event.signature_id = :sid ++ AND event.src_ip = :src_ip ++ AND event.dst_ip = :dst_ip)"; ++ $qp2_params[':sid'] = "$sid"; ++ $qp2_params[':src_ip'] = "$src_ip"; ++ $qp2_params[':dst_ip'] = "$dst_ip"; ++ ++ // build statement using $qp2 ++ $statement = "SELECT event.status AS f1, ++ CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, + INET_NTOA(event.src_ip) AS f3, + event.src_port AS f4, + INET_NTOA(event.dst_ip) AS f5, +@@ -445,50 +426,34 @@ function level2() { + LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' + LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' + $qp2 +- $rt + GROUP BY event.sid,event.cid + ORDER BY event.timestamp $sv"; + +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':concatoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + + } + + function level2a() { +- +- global $offset, $when, $sensors, $rt; +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; +- } else { +- // this needs to be fixed... +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter +- $rt"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors +- $rt"; +- } +- +- $query = "SELECT event.status AS f1, +- CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, ++ // This function is called when grouping is turned off. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ // build statement ++ $statement = "SELECT event.status AS f1, ++ CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, + INET_NTOA(event.src_ip) AS f3, + event.src_port AS f4, + msrc.c_long AS f5, +@@ -516,30 +481,39 @@ function level2a() { + $qp2 + GROUP BY event.sid, event.cid + ORDER BY event.timestamp $sv"; +- +- $result = mysql_query($query); +- $rows = array(); +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':concatoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function payload() { ++ // This function retrieves the payload of the event. ++ // This function has been updated to use PDO prepared statements. + +- global $offset; +- $comp = mysql_real_escape_string($_REQUEST['object']); ++ global $offset, $dbpdo; ++ $comp = $_REQUEST['object']; + list($sid,$cid) = explode("-", $comp); + +- $query = "SELECT INET_NTOA(event.src_ip), ++ $statement = "SELECT INET_NTOA(event.src_ip), + INET_NTOA(event.dst_ip), + event.ip_ver, event.ip_hlen, event.ip_tos, + event.ip_len, event.ip_id, event.ip_flags, + event.ip_off, event.ip_ttl, event.ip_csum, + event.src_port, event.dst_port, event.ip_proto, + event.signature, event.signature_id, +- CONVERT_TZ(event.timestamp,'+00:00','$offset'), event.sid, event.cid, ++ CONVERT_TZ(event.timestamp,'+00:00', :offset), event.sid, event.cid, + GROUP_CONCAT(history.comment SEPARATOR ' || ') AS comment, + GROUP_CONCAT(src_tag.value) AS srctag, + GROUP_CONCAT(dst_tag.value) AS dsttag +@@ -547,21 +521,28 @@ function payload() { + LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid + LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' + LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' +- WHERE event.sid='$sid' AND event.cid='$cid'"; +- +- $result = mysql_query($query); +- ++ WHERE event.sid=:sid AND event.cid=:cid"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":offset" => "$offset", ":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); + $rows = array(); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; +- $ipp = $row["ip_proto"]; ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } ++ $ipp = $row[0]["ip_proto"]; + + // Protocol + switch ($ipp) { + + case 1: +- $query = "SELECT event.icmp_type AS icmp_type, ++ $statement = "SELECT event.icmp_type AS icmp_type, + event.icmp_code AS icmp_code, + icmphdr.icmp_csum AS icmp_csum, + icmphdr.icmp_id AS icmp_id, +@@ -569,54 +550,78 @@ function payload() { + FROM event, icmphdr + WHERE event.sid=icmphdr.sid + AND event.cid=icmphdr.cid +- AND event.sid='$sid' +- AND event.cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ AND event.sid=:sid ++ AND event.cid=:cid"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + + case 6: +- $query = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum ++ $statement = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum + FROM tcphdr +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + + case 17: +- $query = "SELECT udp_len, udp_csum ++ $statement = "SELECT udp_len, udp_csum + FROM udphdr +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + default: + $result = array(0 => 0); + $rows[] = $row; + break; + } +- + // Data +- $query = "SELECT data_payload ++ $statement = "SELECT data_payload + FROM data +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data and encode to json ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + $theJSON = json_encode($rows); + echo $theJSON; +- + } + + function tab() { +@@ -630,21 +635,28 @@ function transcript() { + } + + function filters() { ++ // This function queries and updates the filters table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; +- $mode = mysql_real_escape_string($_REQUEST['mode']); ++ $mode = $_REQUEST['mode']; + + switch ($mode) { + case "query" : +- $query = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username ++ $statement = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username + FROM filters + ORDER BY global,name ASC"; + +- $result = mysql_query($query); +- + $rows = array(); + ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement with params ++ $query->execute(); + # iterate through each row of the filter table +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know +@@ -670,23 +682,50 @@ function filters() { + $filter = str_ireplace($remove, "", $filter); + $filter = strtohex($filter); + +- $query = "INSERT INTO filters (type,name,alias,username,filter,notes) +- VALUES ('$type','$name','$alias','$user','$filter','$notes') ++ $statement = "INSERT INTO filters (type,name,alias,username,filter,notes) ++ VALUES (:type1,:name1,:alias1,:user1,:filter1,:notes1) + ON DUPLICATE KEY UPDATE +- type='$type',name='$name',alias='$alias',filter='$filter',notes='$notes'"; ++ type=:type2,name=:name2,alias=:alias2,filter=:filter2,notes=:notes2"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":type1" => "$type", ":name1" => "$name", ":alias1" => "$alias", ":user1" => "$user", ":filter1" => "$filter", ":notes1" => "$notes", ":type2" => "$type", ":name2" => "$name", ":alias2" => "$alias", ":filter2" => "$filter", ":notes2" => "$notes"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + +- mysql_query($query); +- $result = mysql_error(); + $return = array("msg" => $result); + $theJSON = json_encode($return); + + break; + + case "remove" : +- $alias = mysql_real_escape_string($_REQUEST['data']); +- $query = "DELETE FROM filters WHERE username = '$user' AND (alias = '$alias' AND global = 0)"; +- mysql_query($query); +- $result = mysql_error(); ++ $alias = $_REQUEST['data']; ++ $statement = "DELETE FROM filters WHERE username = :user AND (alias = :alias AND global = 0)"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$user", ":alias" => "$alias"]; ++ // execute the prepared statement with the params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } ++ + $return = array("msg" => $result); + $theJSON = json_encode($return); + +@@ -732,7 +771,10 @@ function cat() { + } + + function comments() { +- $query = "SELECT COUNT(comment) AS f1, ++ // This function retrieves comments from the history table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ $statement = "SELECT COUNT(comment) AS f1, + comment AS f2, + u.username AS f3, + MIN(timestamp) AS f4, +@@ -745,53 +787,52 @@ function comments() { + AND (comment NOT IN('NULL','Auto Update','') AND comment NOT LIKE ('autoid %')) + GROUP BY comment + ORDER BY f5 DESC"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function remove_comment() { ++ // This function removes a comment from the history table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; + $comment = hextostr($_REQUEST['comment']); +- $comment = mysql_real_escape_string($comment); +- $query = "DELETE FROM history WHERE comment = '$comment'"; +- mysql_query($query); +- $result = mysql_error(); ++ $comment = $comment; ++ $statement = "DELETE FROM history WHERE comment = :comment"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":comment" => "$comment"]; ++ // execute the prepared statement with the params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + $return = array("msg" => $result); +- + $theJSON = json_encode($return); + echo $theJSON; + } + + function map() { +- global $when, $sensors; +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // This function is called when the user clicks the SUMMARY tab. ++ // This function has been updated to use PDO prepared statements. + +- $srcq = "SELECT COUNT(src_ip) AS c, msrc.cc ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $srcstatement = "SELECT COUNT(src_ip) AS c, msrc.cc + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -803,7 +844,7 @@ function map() { + GROUP BY msrc.cc + ORDER BY c DESC"; + +- $dstq = "SELECT COUNT(dst_ip) AS c, mdst.cc ++ $dststatement = "SELECT COUNT(dst_ip) AS c, mdst.cc + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -814,16 +855,23 @@ function map() { + AND mdst.cc IS NOT NULL + GROUP BY mdst.cc + ORDER BY c DESC"; +- +- $srcr = mysql_query($srcq); +- $dstr = mysql_query($dstq); ++ // prepare statements ++ $srcquery = $dbpdo->prepare("$srcstatement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("srcstatement: $srcstatement"); ++ //error_log("dststatement: $dststatement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $srcquery->execute($merged_params); + + // A => src, B=> dst, C=> cumulative + $a1 = $a2 = $b1 = $b2 = array(); + $aHit = $bHit = $cHit = 'no'; + + // Source countries and count +- while ($row = mysql_fetch_row($srcr)) { ++ while ($row = $srcquery->fetch(PDO::FETCH_NUM)) { + $a1[] = $row[0]; + $a2[] = $row[1]; + $c1[] = $row[0]; +@@ -832,10 +880,12 @@ function map() { + $cHit = 'yes'; + } + ++ $dstquery = $dbpdo->prepare("$dststatement"); ++ $dstquery->execute($merged_params); + // Destination countries and count + // As we loop through we check to see if we hit a country + // that we already processed so that we can derive a sum +- while ($row = mysql_fetch_row($dstr)) { ++ while ($row = $dstquery->fetch(PDO::FETCH_NUM)) { + $b1[] = $row[0]; + $b2[] = $row[1]; + if ($aHit == 'yes') { +@@ -909,7 +959,11 @@ function map() { + } + + function sensors() { +- $query = "SELECT net_name AS f1, ++ // This function gets the list of sensors. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ //$query = "SELECT net_name AS f1, ++ $statement = "SELECT net_name AS f1, + hostname AS f2, + agent_type AS f3, + sensor.sid AS f4 +@@ -917,26 +971,44 @@ function sensors() { + WHERE agent_type != 'pcap' + AND active = 'Y' + ORDER BY net_name ASC"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function user_profile() { ++ // This function updates the timezone offset in the user profile. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; + $tz = hextostr($_REQUEST['tz']); + $validtz = "/^(-12:00|-11:00|-10:00|-09:30|-09:00|-08:00|-07:00|-06:00|-05:00|-04:30|-04:00|-03:30|-03:00|-02:00|-01:00|\+00:00|\+01:00|\+02:00|\+03:00|\+03:30|\+04:00|\+04:30|\+05:00|\+05:30|\+05:45|\+06:00|\+06:30|\+07:00|\+08:00|\+08:45|\+09:00|\+09:30|\+10:00|\+10:30|\+11:00|\+11:30|\+12:00|\+12:45|\+13:00|\+14:00)$/"; + + if (preg_match($validtz, $tz)) { +- $query = "UPDATE user_info SET tzoffset = '$tz' WHERE username = '$user'"; +- mysql_query($query); +- $result = mysql_error(); ++ // prepare statement ++ $statement = "UPDATE user_info SET tzoffset = :tz WHERE username = :user"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":tz" => "$tz", ":user" => "$user"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + // Update session offset + $_SESSION['tzoffset'] = $tz; + } else { +@@ -948,56 +1020,54 @@ function user_profile() { + } + + function summary() { +- global $when, $sensors; ++ // This function is called when the user clicks the SUMMARY tab. ++ // This function has been updated to use PDO prepared statements. ++ ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $limit = $_REQUEST['limit']; + $qargs = $_REQUEST['qargs']; + $filter = hextostr($_REQUEST['filter']); + list($type,$subtype) = explode("-", $qargs); + $oppip = "src"; +- if ($subtype == "src") { $oppip = "dst"; } +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // subtype is controlled by user, don't trust it ++ $cleansubtype = ""; ++ switch ($subtype) { ++ case "src": ++ $cleansubtype = "src"; ++ $oppip = "dst"; ++ break; ++ case "dst": ++ $cleansubtype = "dst"; ++ break; ++ case "sig": ++ $cleansubtype = "sig"; ++ break; ++ } + + switch ($type) { + case "ip": +- $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, +- m{$subtype}.cc AS f4, +- m{$subtype}.c_long AS f5, +- INET_NTOA(event.{$subtype}_ip) AS f6, +- o{$subtype}.value AS f7 ++ m{$cleansubtype}.cc AS f4, ++ m{$cleansubtype}.c_long AS f5, ++ INET_NTOA(event.{$cleansubtype}_ip) AS f6, ++ o{$cleansubtype}.value AS f7 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +- LEFT JOIN object_mappings AS o{$subtype} ON event.{$subtype}_ip = o{$subtype}.object +- AND o{$subtype}.type = 'ip_c' ++ LEFT JOIN object_mappings AS o{$cleansubtype} ON event.{$cleansubtype}_ip = o{$cleansubtype}.object ++ AND o{$cleansubtype}.type = 'ip_c' + $qp2 + GROUP BY f6 + ORDER BY f1 DESC"; + break; + case "pt": +- $query = "SELECT COUNT(event.{$subtype}_port) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_port) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.src_ip)) AS f3, + COUNT(DISTINCT(event.dst_ip)) AS f4, +- event.{$subtype}_port AS f5 ++ event.{$cleansubtype}_port AS f5 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -1006,7 +1076,7 @@ function summary() { + ORDER BY f1 DESC"; + break; + case "sig": +- $query = "SELECT COUNT(event.signature) AS f1, ++ $statement = "SELECT COUNT(event.signature) AS f1, + COUNT(DISTINCT(event.src_ip)) AS f2, + COUNT(DISTINCT(event.dst_ip)) AS f3, + event.signature_id AS f4, +@@ -1019,64 +1089,62 @@ function summary() { + ORDER BY f1 DESC"; + break; + case "cc": +- $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, +- m{$subtype}.cc AS f4, +- m{$subtype}.c_long AS f5, +- COUNT(DISTINCT(event.{$subtype}_ip)) AS f6 ++ m{$cleansubtype}.cc AS f4, ++ m{$cleansubtype}.c_long AS f5, ++ COUNT(DISTINCT(event.{$cleansubtype}_ip)) AS f6 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip + $qp2 +- AND event.{$subtype}_ip NOT BETWEEN 167772160 AND 184549375 +- AND event.{$subtype}_ip NOT BETWEEN 2886729728 AND 2886795263 +- AND event.{$subtype}_ip NOT BETWEEN 3232235520 AND 3232301055 +- AND m{$subtype}.cc IS NOT NULL GROUP BY m{$subtype}.cc ORDER BY f1 DESC"; ++ AND event.{$cleansubtype}_ip NOT BETWEEN 167772160 AND 184549375 ++ AND event.{$cleansubtype}_ip NOT BETWEEN 2886729728 AND 2886795263 ++ AND event.{$cleansubtype}_ip NOT BETWEEN 3232235520 AND 3232301055 ++ AND m{$cleansubtype}.cc IS NOT NULL GROUP BY m{$cleansubtype}.cc ORDER BY f1 DESC"; + break; + } +- $result = mysql_query($query); ++ ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ + $rows = array(); + $i = 0; + $n = 0; +- $r = mysql_num_rows($result); +- while ($row = mysql_fetch_assoc($result)) { ++ // unbuffered query can't do rowCount, replacing with $i below ++ //$r = $query->rowCount(); ++ ++ # iterate through each row of the filter table ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $n += $row["f1"]; + $i++; + if ($i <= $limit) $rows[] = $row; + } +- $rows[] = array("n" => $n, "r" => $r); ++ $rows[] = array("n" => $n, "r" => $i); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function view() { +- global $when, $sensors; ++ // This function is called when the user clicks the VIEWS tab. ++ // This function has been updated to use PDO prepared statements. ++ ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $qargs = $_REQUEST['qargs']; + $filter = hextostr($_REQUEST['filter']); + list($type,$subtype) = explode("-", $qargs); + +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } +- + switch ($type) { + case "ip": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, + COUNT(event.src_ip) AS value + FROM event +@@ -1087,7 +1155,7 @@ function view() { + GROUP BY source,target"; + break; + case "ips": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + event.signature AS sig, + CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, + COUNT(event.src_ip) AS value +@@ -1099,7 +1167,7 @@ function view() { + GROUP BY source,target"; + break; + case "sc": +- $query = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, ++ $statement = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, + CONCAT_WS('|',INET_NTOA(event.dst_ip), mdst.cc) AS target, + COUNT(event.src_ip) AS value + FROM event +@@ -1113,7 +1181,7 @@ function view() { + GROUP BY source,target"; + break; + case "dc": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, + CONCAT_WS('|', mdst.c_long, mdst.cc) AS target, + COUNT(event.dst_ip) AS value + FROM event +@@ -1127,18 +1195,23 @@ function view() { + GROUP BY source,target"; + break; + } +- $result = mysql_query($query); +- $rc = mysql_num_rows($result); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ ++ // unbuffered query can't do rowCount, replacing with $records below ++ //$rc = $query->rowCount(); + $records = 0; + $rows = $srcs = $tgts = $vals = $skip = $names = $_names = array(); +- +- if ($rc == 0) { +- $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); +- echo $theJSON; +- exit(); +- } +- +- while ($row = mysql_fetch_assoc($result)) { ++/* ++*/ ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + if ($type == "ips") { + $srcs[] = $row["source"]; + $tgts[] = $row["sig"]; +@@ -1154,6 +1227,12 @@ function view() { + $sads[] = 0; + $records++; + } ++ ++ if ($records == 0) { ++ $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); ++ echo $theJSON; ++ exit(); ++ } + // Value counts + $src_c = array_count_values($srcs); + $tgt_c = array_count_values($tgts); +@@ -1163,33 +1242,33 @@ function view() { + foreach ($srcs as $index => $src) { + // Find the target + if (in_array($index, $skip)) { continue; } +- $tgt = $tgts[$index]; +- // Find the keys for all instances of the target as a source +- $tgt_keys = array_keys($srcs,$tgt); +- // Now see if any have the source as a target +- foreach ($tgt_keys as $pos) { +- if ($tgts[$pos] == $src) { +- $sads_val = $vals[$pos]; +- unset($srcs[$pos]); +- unset($tgts[$pos]); +- unset($vals[$pos]); +- unset($sads[$pos]); +- // Add offset to be skipped +- $skip[] = $pos; +- // By setting this we flag that this source is also a target +- $sads[$index] = $sads_val; ++ $tgt = $tgts[$index]; ++ // Find the keys for all instances of the target as a source ++ $tgt_keys = array_keys($srcs,$tgt); ++ // Now see if any have the source as a target ++ foreach ($tgt_keys as $pos) { ++ if ($tgts[$pos] == $src) { ++ $sads_val = $vals[$pos]; ++ unset($srcs[$pos]); ++ unset($tgts[$pos]); ++ unset($vals[$pos]); ++ unset($sads[$pos]); ++ // Add offset to be skipped ++ $skip[] = $pos; ++ // By setting this we flag that this source is also a target ++ $sads[$index] = $sads_val; ++ } + } +- } + +- // If there is no filter, remove 1:1s with a count of 1 +- if ($filter == 'empty') { +- if ($vals[$index] == 1 && $sads[$index] == 0 && $src_c[$src] == 1) { +- unset($srcs[$index]); +- unset($tgts[$index]); +- unset($vals[$index]); +- unset($sads[$index]); +- } +- } ++ // If there is no filter, remove 1:1s with a count of 1 ++ if ($filter == 'empty') { ++ if ( isset($vals[$index]) && $vals[$index] == 1 && isset($sads[$index]) && $sads[$index] == 0 && isset($src_c[$src]) && $src_c[$src] == 1) { ++ unset($srcs[$index]); ++ unset($tgts[$index]); ++ unset($vals[$index]); ++ unset($sads[$index]); ++ } ++ } + } + + // We have probably truncated these so realign the indexes +@@ -1234,29 +1313,34 @@ function view() { + } + + function autocat() { ++ // This function queries and updates sguild's list of autocats. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $usr = $_SESSION['sUser']; + $pwd = $_SESSION['sPass']; + $offset = $_SESSION['tzoffset']; +- $mode = mysql_real_escape_string($_REQUEST['mode']); ++ $mode = $_REQUEST['mode']; + + switch ($mode) { + case "query" : +- $query = "SELECT autoid, CONVERT_TZ(erase,'+00:00','$offset') AS erase, sensorname, ++ // build statement ++ $statement = "SELECT autoid, CONVERT_TZ(erase,'+00:00', :offset1) AS erase, sensorname, + src_ip, src_port, dst_ip, dst_port, ip_proto, +- signature, status, active, CONVERT_TZ(timestamp,'+00:00','$offset') AS ts, ++ signature, status, active, CONVERT_TZ(timestamp,'+00:00', :offset2) AS ts, + u.username AS user, comment + FROM autocat + LEFT JOIN user_info AS u ON autocat.uid = u.uid + ORDER BY ts DESC"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } +- ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":offset1" => "$offset", ":offset2" => "$offset"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + break; + +@@ -1323,10 +1407,22 @@ function autocat() { + } + + if ($rm == 1) { +- $query = "DELETE FROM autocat WHERE autoid = $id"; ++ $statement = "DELETE FROM autocat WHERE autoid = :id"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":id" => "$id"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ $result = $query->errorInfo(); ++ $err = ""; ++ // if there was no error, then $result[2] should be null ++ if ( ! is_null($result[2]) ) { ++ $err = $result[2]; ++ } + +- mysql_query($query); +- $err = mysql_error(); + } + + $result = array("dbg" => htmlspecialchars($debug), +@@ -1416,11 +1512,13 @@ echo $theJSON; + } + + function addremoveobject() { +- $user = $_SESSION['sUser']; +- $obtype = mysql_real_escape_string($_REQUEST['obtype']); +- $object = mysql_real_escape_string(hextostr($_REQUEST['object'])); +- $value = mysql_real_escape_string($_REQUEST['value']); +- $op = mysql_real_escape_string($_REQUEST['op']); ++ // This function adds objects to and removes objects from the object_mappings table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ $obtype = $_REQUEST['obtype']; ++ $object = hextostr($_REQUEST['object']); ++ $value = $_REQUEST['value']; ++ $op = $_REQUEST['op']; + + // For everything but tags we want to replace the existing value + $hash = md5($obtype . $object); +@@ -1434,48 +1532,70 @@ function addremoveobject() { + break; + } + ++ // Are we adding or removing? + switch ($op) { + case "add": +- $query = "INSERT INTO object_mappings (type,object,value,hash) +- VALUES ('$obtype','$object','$value','$hash') ++ // If adding object, insert into table. ++ $statement = "INSERT INTO object_mappings (type,object,value,hash) ++ VALUES (:obtype1,:object1,:value1,:hash1) + ON DUPLICATE KEY UPDATE +- type='$obtype',object='$object',value='$value',hash='$hash'"; ++ type=:obtype2,object=:object2,value=:value2,hash=:hash2"; ++ // build parameters for prepared statement ++ $params = [":obtype1" => "$obtype", ":object1" => "$object", ":value1" => "$value", ":hash1" => "$hash", ":obtype2" => "$obtype", ":object2" => "$object", ":value2" => "$value", ":hash2" => "$hash"]; + break; + case "rm": +- $query = "DELETE FROM object_mappings WHERE hash = '$hash'"; ++ // If removing object, delete from table. ++ $statement = "DELETE FROM object_mappings WHERE hash = :hash"; ++ // build parameters for prepared statement ++ $params = [":hash" => "$hash"]; + break; + } +- +- mysql_query($query); +- $result = mysql_error(); +- $return = array("msg" => $result); +- ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // check for errors ++ $result = $query->errorInfo(); ++ $error = ""; ++ // if there was no error, then $result[2] should be null ++ if ( ! is_null($result[2]) ) { ++ $error = $result[2]; ++ } ++ $return = array("msg" => $error); + $theJSON = json_encode($return); + echo $theJSON; + } + + function getcolour() { +- $user = $_SESSION['sUser']; +- +- $query = "SELECT object, value AS colour ++ // This function gets the color mappings from the object_mappings table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ // build statement ++ $statement = "SELECT object, value AS colour + FROM object_mappings + WHERE type = 'el_c'"; +- +- $result = mysql_query($query); +- $rows = array(); +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function objhistory () { +- global $offset, $start, $sdate; ++ // This function returns the history for an object over the last 7 days. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $start, $sdate, $sdatetime, $offset, $dbpdo; + $object = hextostr($_REQUEST['object']); + $object = str_replace("aa", "", $object); + +- // Plant, animal or mineral? ++ // Is object an IP address? + $re = '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/'; + $obtype = 0; + if (preg_match($re, $object)) { +@@ -1483,45 +1603,66 @@ function objhistory () { + } + + switch ($obtype) { +- case 0: $subject = "signature_id = '$object'"; break; +- case 1: $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; break; +- } ++ case 0: ++ $subject = "signature_id = :object"; ++ $statement = "SELECT ++ DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, ++ HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, ++ COUNT(event.timestamp) AS value ++ FROM event ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY ++ AND signature_id = :object ++ GROUP BY day,hour ++ ORDER BY day ASC"; ++ $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object" => "$object"]; ++ break; + +- $query = "SELECT +- DATE(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS day, +- HOUR(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS hour, ++ case 1: ++ $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; ++ $statement = "SELECT ++ DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, ++ HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, + COUNT(event.timestamp) AS value + FROM event +- WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY +- AND $subject ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY ++ AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) + GROUP BY day,hour + ORDER BY day ASC"; ++ $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object1" => "$object", ":object2" => "$object"]; ++ break; ++ } ++ $query = $dbpdo->prepare("$statement"); ++ // original used unbuffered query, but that doesn't seem to work with PDO? ++ //$result = mysql_unbuffered_query($query); ++ //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); ++ $query->execute(array_merge($params)); + + $rows1 = $rows2 = array(); + $r1 = $r2 = 0; +- +- $result = mysql_unbuffered_query($query); +- +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows1[] = $row; + $r1++; + } +- + $result = ""; + + if ($r1 != 0 && $obtype == 1) { +- $query = "SELECT ++ $statement = "SELECT + COUNT(signature_id) AS value, + signature AS label, + signature_id AS sid + FROM event +- WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY +- AND $subject ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset1,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset2,'+00:00') + INTERVAL 1 DAY ++ AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) + GROUP BY signature_id + ORDER BY value DESC"; + +- $result = mysql_unbuffered_query($query); +- while ($row = mysql_fetch_assoc($result)) { ++ $params = [":sdatetime1" => "$sdatetime", ":offset1" => "$offset", ":sdatetime2" => "$sdatetime", ":offset2" => "$offset", ":object1" => "$object", ":object2" => "$object"]; ++ // original used unbuffered query, but that doesn't seem to work with PDO? ++ //$result = mysql_unbuffered_query($query); ++ //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(array_merge($params)); ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows2[] = $row; + $r2++; + } +@@ -1532,30 +1673,12 @@ function objhistory () { + } + + function times() { +- global $offset, $when, $sensors; +- $filter = hextostr($_REQUEST['filter']); +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND $when $sensors"; +- } else { +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // This function returns data to the times visualization on the EVENTS tab. ++ // This function has been updated to use PDO prepared statements. + +- $query = "SELECT +- SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, ++ global $offset, $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $statement = "SELECT ++ SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00',:substringoffset),12,5) AS time, + COUNT(signature) AS count + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip +@@ -1563,11 +1686,22 @@ function times() { + $qp2 + GROUP BY time + ORDER BY event.timestamp"; +- $result = mysql_query($query); ++ // add params for local part of statement ++ $local_params[':substringoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ + $rows = array(); + $r = $m = 0; + +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows[] = $row; + $cnts[] = $row['count']; + $r++; +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sql ++++ securityonion-squert-20161212/.scripts/securityonion_update.sql +@@ -133,6 +133,8 @@ VALUES ('url','','1','4d616c77617265446f + + GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; + ++GRANT DELETE on autocat to 'readonly'@'localhost'; ++ + GRANT DELETE on history to 'readonly'@'localhost'; + + GRANT UPDATE on user_info TO 'readonly'@'localhost'; diff --git a/debian/patches/improve-calls-to-clicat b/debian/patches/improve-calls-to-clicat new file mode 100644 index 0000000..2befb49 --- /dev/null +++ b/debian/patches/improve-calls-to-clicat @@ -0,0 +1,10413 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion17) trusty; urgency=medium + . + * improve calls to clicat +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.auth/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/.auth/squert/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -537,74 +537,8 @@ function tab() { + } + + function transcript() { +- +- global $offset; +- $txdata = hextostr($_REQUEST['txdata']); +- $usr = $_SESSION['sUser']; +- $pwd = $_SESSION['sPass']; +- list($sid, $timestamp, $sip, $spt, $dip, $dpt) = explode("|", $txdata); +- $sqlsid = mysql_real_escape_string($sid); +- // Lookup sensorname +- $query = "SELECT hostname FROM sensor +- WHERE sid = '$sqlsid'"; +- +- $qResult = mysql_query($query); +- +- $sensorName = mysql_result($qResult, 0); +- $cmdsid = escapeshellarg($sid); +- $cmdsip = escapeshellarg($sip); +- $cmddip = escapeshellarg($dip); +- $cmdspt = escapeshellarg($spt); +- $cmddpt = escapeshellarg($dpt); +- +- $cmd = "../.scripts/cliscript.tcl \"$usr\" \"$sensorName\" \"$timestamp\" $cmdsid $cmdsip $cmddip $cmdspt $cmddpt"; +- $descspec = array( +- 0 => array("pipe", "r"), +- 1 => array("pipe", "w"), +- 2 => array("pipe", "w") +- ); +- +- $proc = proc_open($cmd, $descspec, $pipes); +- $debug = "Process execution failed"; +- $_raw = $fmtd = ""; +- if (is_resource($proc)) { +- fwrite($pipes[0], $pwd); +- fclose($pipes[0]); +- $_raw = stream_get_contents($pipes[1]); +- fclose($pipes[1]); +- $debug = fgets($pipes[2]); +- fclose($pipes[2]); +- } +- +- $raw = explode("\n", $_raw); +- foreach ($raw as $line) { +- +- $line = htmlspecialchars($line); +- $type = substr($line, 0,3); +- +- switch ($type) { +- case "DEB": $debug .= preg_replace('/^DEBUG:.*$/', "$0", $line) . "
"; $line = ''; break; +- case "HDR": $line = preg_replace('/(^HDR:)(.*$)/', "$2", $line); break; +- case "DST": $line = preg_replace('/^DST:.*$/', "$0", $line); break; +- case "SRC": $line = preg_replace('/^SRC:.*$/', "$0", $line); break; +- default: $line = ""; break; +- } +- +- if (strlen($line) > 0) { +- $fmtd .= $line . "
"; +- } +- } +- +- if (strlen($fmtd) > 0) { +- $fmtd .= "
" . $debug; +- } +- +- $result = array("tx" => "$fmtd", +- "dbg" => "$_raw", +- "cmd" => "$cmd"); +- +- $theJSON = json_encode($result); +- echo $theJSON; ++ # We no longer use Squert's native transcript functionality. ++ # Squert now pivots to CapMe for transcripts. + } + + function filters() { +@@ -684,7 +618,12 @@ function cat() { + list($cat, $msg, $lst) = explode("|||", $catdata); + $msg = htmlentities($msg); + +- $cmd = "../.scripts/clicat.tcl 0 \"$usr\" \"$cat\" \"$msg\" \"$lst\""; ++ $cmdusr = escapeshellarg($usr); ++ $cmdcat = escapeshellarg($cat); ++ $cmdmsg = escapeshellarg($msg); ++ $cmdlst = escapeshellarg($lst); ++ ++ $cmd = "../.scripts/clicat.tcl 0 $cmdusr $cmdcat $cmdmsg $cmdlst"; + $descspec = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w") +@@ -1243,7 +1182,19 @@ function autocat() { + $expires = gmdate("Y-m-d H:i:s", strtotime("+ $expires")); + } + +- $cmd = "../.scripts/clicat.tcl 1 \"$usr\" \"$expires\" \"$v[sensor]\" \"$v[src_ip]\" \"$v[src_port]\" \"$v[dst_ip]\" \"$v[dst_port]\" \"$v[proto]\" \"$v[signature]\" \"$v[status]\" \"$v[comment]\""; ++ $cmdusr = escapeshellarg($usr); ++ $cmdexpires = escapeshellarg($expires); ++ $cmdsensor = escapeshellarg($v['sensor']); ++ $cmdsrcip = escapeshellarg($v['src_ip']); ++ $cmdsrcport = escapeshellarg($v['src_port']); ++ $cmddstip = escapeshellarg($v['dst_ip']); ++ $cmddstport = escapeshellarg($v['dst_port']); ++ $cmdproto = escapeshellarg($v['proto']); ++ $cmdsignature = escapeshellarg($v['signature']); ++ $cmdstatus = escapeshellarg($v['status']); ++ $cmdcomment = escapeshellarg($v['comment']); ++ ++ $cmd = "../.scripts/clicat.tcl 1 $cmdusr $cmdexpires $cmdsensor $cmdsrcip $cmdsrcport $cmddstip $cmddstport $cmdproto $cmdsignature $cmdstatus $cmdcomment"; + $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); + $proc = proc_open($cmd, $descspec, $pipes); + $debug = "Process execution failed"; +@@ -1267,7 +1218,11 @@ function autocat() { + $type = 3; + } + +- $cmd = "../.scripts/clicat.tcl $type \"$usr\" $id"; ++ $cmdtype = escapeshellarg($type); ++ $cmdusr = escapeshellarg($usr); ++ $cmdid = escapeshellarg($id); ++ ++ $cmd = "../.scripts/clicat.tcl $cmdtype $cmdusr $cmdid"; + $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); + $proc = proc_open($cmd, $descspec, $pipes); + $debug = "Process execution failed"; +--- securityonion-squert-20161212.orig/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- diff --git a/debian/patches/improve-input-validation-and-output-filtering b/debian/patches/improve-input-validation-and-output-filtering new file mode 100644 index 0000000..77fe31a --- /dev/null +++ b/debian/patches/improve-input-validation-and-output-filtering @@ -0,0 +1,98 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion15) trusty; urgency=medium + . + * improve input validation and output filtering +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -622,7 +622,16 @@ function filters() { + $rows = array(); + + while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; ++ # we're now iterating through each row of the filter table ++ # for each field in that row, we need to sanitize before output ++ foreach ($row as &$value) { ++ # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know ++ $value = htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ++ } ++ # must unset $value per http://php.net/manual/en/control-structures.foreach.php ++ unset($value); ++ # now add the sanitized row to the $rows array ++ $rows[] = $row; + } + + $theJSON = json_encode($rows); +--- securityonion-squert-20161212.orig/.js/squertBoxes.js ++++ securityonion-squert-20161212/.js/squertBoxes.js +@@ -490,7 +490,7 @@ $(document).ready(function(){ + } + } + if (emptyVal > 0) throw 0; +- ++ + // Sanitize alias + var re = /^[?a-zA-Z][\w-]*$/; + var OK = re.exec(filterTxt.alias); +@@ -503,7 +503,16 @@ $(document).ready(function(){ + // Make sure we dont match a builtin + var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; + if (builtins.indexOf(filterTxt.alias) != -1) throw 1; +- ++ ++ // Sanitize name ++ var re = /^[?a-zA-Z][\w-]*$/; ++ var OK = re.exec(filterTxt.name); ++ if (!OK) throw 2; ++ if (filterTxt.name == "New") throw 2; ++ ++ // If creating a new filter make sure this name doesn't already exist ++ if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; ++ + // Continue.. + oldCL = currentCL; + var ftype = $(".hp_type_active").data("val"); +@@ -553,6 +562,12 @@ $(document).ready(function(){ + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; ++ case 2: ++ eMsg += "
Error! " ++ eMsg += "Valid characters are: "; ++ eMsg += "Aa-Zz, 0-9, - and _ . "; ++ eMsg += "The word \"New\" is reserved and may not be used."; ++ break; + default: + eMsg += "
Format error! "; + eMsg += "Please ensure the format above is valid JSON. "; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.6©2016 Paul Halliday
++
Version 1.6.7©2016 Paul Halliday
+ + + diff --git a/debian/patches/improve-postinst b/debian/patches/improve-postinst new file mode 100644 index 0000000..901e911 --- /dev/null +++ b/debian/patches/improve-postinst @@ -0,0 +1,13709 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion19) trusty; urgency=medium + . + * improve postinst +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.auth/native/squert/.js/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/native/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- securityonion-squert-20161212.orig/.auth/squert/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/.auth/squert/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/sso/login.php ++++ /dev/null +@@ -1,141 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.4©2016 Paul Halliday
+-
+-
+- +- +- +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squert/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squert/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ +--- securityonion-squert-20161212.orig/.auth/sso/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); diff --git a/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php b/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php new file mode 100644 index 0000000..30c56a1 --- /dev/null +++ b/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php @@ -0,0 +1,46 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion9) trusty; urgency=medium + . + * initialize srcd, dstd, and alld in callback.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -821,6 +821,7 @@ function map() { + } + + $aSum = $bSum = $cSum = $aItems = $bItems = $cItems = 0; ++ $srcd = $dstd = $alld = ""; + + function makeDetail($x1,$x2) { + $detail = ""; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.2©2016 Paul Halliday
++
Version 1.6.3©2016 Paul Halliday
+ + + diff --git a/debian/patches/iterate-over-all-arrays-when-converting-strings b/debian/patches/iterate-over-all-arrays-when-converting-strings new file mode 100644 index 0000000..0411e40 --- /dev/null +++ b/debian/patches/iterate-over-all-arrays-when-converting-strings @@ -0,0 +1,38 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion36) xenial; urgency=medium + . + * iterate over all arrays when converting strings +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -443,7 +443,9 @@ function level2() { + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings +- $rows[0] = array_map('strval', $rows[0]); ++ for ($i=0;$i + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion16) trusty; urgency=medium + . + * merge and adjust comment +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -621,8 +621,8 @@ function filters() { + + $rows = array(); + ++ # iterate through each row of the filter table + while ($row = mysql_fetch_assoc($result)) { +- # we're now iterating through each row of the filter table + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know +--- securityonion-squert-20161212.orig/.js/squertBoxes.js ++++ securityonion-squert-20161212/.js/squertBoxes.js +@@ -505,14 +505,24 @@ $(document).ready(function(){ + if (builtins.indexOf(filterTxt.alias) != -1) throw 1; + + // Sanitize name +- var re = /^[?a-zA-Z][\w-]*$/; ++ var re = /^[?a-zA-Z][\w-\s]*$/; + var OK = re.exec(filterTxt.name); + if (!OK) throw 2; + if (filterTxt.name == "New") throw 2; + + // If creating a new filter make sure this name doesn't already exist + if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; +- ++ ++ // Sanitize notes ++ var re = /^[?a-zA-Z][\w-.\s]*$/; ++ var OK = re.exec(filterTxt.notes); ++ if (!OK) throw 2; ++ ++ // Sanitize url ++ var re = /^[?\/a-zA-Z0-9.\/:?${}(),_!&'@=\-\*#%]*$/; ++ var OK = re.exec(filterTxt.url); ++ if (!OK) throw 3; ++ + // Continue.. + oldCL = currentCL; + var ftype = $(".hp_type_active").data("val"); +@@ -568,13 +578,17 @@ $(document).ready(function(){ + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; ++ case 3: ++ eMsg += "
Error! " ++ eMsg += "URL format not valid!"; ++ break; + default: + eMsg += "
Format error! "; + eMsg += "Please ensure the format above is valid JSON. "; +- eMsg += "I am looking for an opening curly brace \"{\" followed by \"object\": \"value\" "; ++ eMsg += "Ex. An opening curly brace \"{\" followed by \"object\": \"value\" "; + eMsg += "pairs.
Each \"object\": \"value\" pair terminates with a comma \",\" except "; + eMsg += "the last pair before the closing curly brace \"}\"."; +- eMsg += " Strings must be enclosed within double quotes."; ++ eMsg += "Strings must be enclosed within double quotes."; + break; + } + $('.filter_error').append(eMsg); diff --git a/debian/patches/migrate-login.php-to-prepared-statements b/debian/patches/migrate-login.php-to-prepared-statements new file mode 100644 index 0000000..37db050 --- /dev/null +++ b/debian/patches/migrate-login.php-to-prepared-statements @@ -0,0 +1,150 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion26) trusty; urgency=medium + . + * migrate login.php to prepared statements +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -36,6 +36,10 @@ function cleanUp($string) { + if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + $username = $_REQUEST['username']; + $password = $_REQUEST['password']; ++ // sso ++ //$username = $_SERVER['PHP_AUTH_USER']; ++ //$password = $_SERVER['PHP_AUTH_PW']; ++ + $ua = $_SERVER['HTTP_USER_AGENT']; + $rqt = $_SERVER['REQUEST_TIME']; + $rqaddr = $_SERVER['REMOTE_ADDR']; +@@ -45,16 +49,29 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' + $ua .= mt_rand(0,$max); + $cmpid = $rqt . $rqaddr . $ua; + $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } + +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { + $userName = $row[1]; + $lastLogin = $row[2]; + $userHash = $row[3]; +@@ -62,7 +79,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' + $userType = $row[5]; + $userTime = $row[6]; + $tzoffset = $row[7]; +- } ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -36,6 +36,7 @@ function cleanUp($string) { + //if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + //$username = $_REQUEST['username']; + //$password = $_REQUEST['password']; ++ // sso + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; + +@@ -48,16 +49,29 @@ function cleanUp($string) { + $ua .= mt_rand(0,$max); + $cmpid = $rqt . $rqaddr . $ua; + $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } + +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { + $userName = $row[1]; + $lastLogin = $row[2]; + $userHash = $row[3]; +@@ -65,7 +79,10 @@ function cleanUp($string) { + $userType = $row[5]; + $userTime = $row[6]; + $tzoffset = $row[7]; +- } ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + diff --git a/debian/patches/move-auth-to-optsquert b/debian/patches/move-auth-to-optsquert new file mode 100644 index 0000000..4d0f247 --- /dev/null +++ b/debian/patches/move-auth-to-optsquert @@ -0,0 +1,13709 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion21) trusty; urgency=medium + . + * move auth files to /opt/squert +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.auth/native/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/native/squert/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/.auth/sso/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/sso/squert/login.php ++++ /dev/null +@@ -1,141 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.4©2016 Paul Halliday
+-
+-
+- +- +- +--- /dev/null ++++ securityonion-squert-20161212/auth/native/squert/.js/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/auth/sso/squert/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ diff --git a/debian/patches/move-files-from-elastic-package b/debian/patches/move-files-from-elastic-package new file mode 100644 index 0000000..bab486d --- /dev/null +++ b/debian/patches/move-files-from-elastic-package @@ -0,0 +1,3465 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion32) xenial; urgency=medium + . + * move files from elastic package +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/login.php +@@ -0,0 +1,158 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ // sso ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } ++ ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.7.0©2016 Paul Halliday
++
++
++ ++ ++ diff --git a/debian/patches/populate-empty-hash-fields b/debian/patches/populate-empty-hash-fields new file mode 100644 index 0000000..0f7bbba --- /dev/null +++ b/debian/patches/populate-empty-hash-fields @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion7) trusty; urgency=medium + . + * populate empty hash fields +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sh ++++ securityonion-squert-20161212/.scripts/securityonion_update.sh +@@ -50,6 +50,7 @@ if [ -d /var/lib/mysql/securityonion_db/ + else + echo "Adding hash field to object_mappings table." + $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" ++ $MYSQL "UPDATE object_mappings SET hash=md5(concat(type,object,value)) WHERE hash IS NULL;" + $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" + fi + diff --git "a/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" "b/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" new file mode 100644 index 0000000..b2efc9e --- /dev/null +++ "b/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" @@ -0,0 +1,161 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion39) xenial; urgency=medium + . + * remove unnecessary code from ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -25,29 +25,22 @@ include_once "functions.php"; + $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); + mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + +-function IP2C($string,$isCLI) { ++function IP2C($string) { + +- if ($isCLI == 'NO') { +- // Running from a browser +- $when = 'WHERE ' . hextostr($string) . ' AND '; +- } else { +- // Running from the command line +- if ($string == 0) { +- $when = "WHERE "; +- } +- +- if ($string == 1) { +- $startDate = gmdate("Y-m-d"); +- $startTime = "00:00:00"; +- $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); +- $endTime = "00:00:00"; +- $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; +- } +- +- echo "Performing base queries (this can take a while)..\n\n"; ++ if ($string == 0) { ++ $when = "WHERE "; ++ } + ++ if ($string == 1) { ++ $startDate = gmdate("Y-m-d"); ++ $startTime = "00:00:00"; ++ $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); ++ $endTime = "00:00:00"; ++ $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; + } + ++ echo "Performing base queries (this can take a while)..\n\n"; ++ + function lookup($list) { + + global $db; +@@ -75,13 +68,11 @@ function IP2C($string,$isCLI) { + } + } + +- // DB Connect +- global $dbHost, $dbUser, $dbPass, $dbName; +- $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); +- mysqli_select_db($db,$dbName) or die(mysqli_error($db)); +- + // Start timing + $st = microtime(true); ++ ++ // DB Connect ++ global $db; + $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); + $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip +@@ -109,19 +100,7 @@ function IP2C($string,$isCLI) { + $time = $et - $st; + $rt = sprintf("%01.3f",$time); + +- if ($isCLI == 'NO') { +- +- $html = "\r +- \r +- \r +- \r +- \r +- \r
 -> Query Time: $rt seconds
 -> Source Count: $sipCount
 -> Destination Count: $dipCount
 -> Total Mapped: $allCount[0]
"; +- +- return $html; +- } +- +- if ($isCLI == 'YES' && $string == 0) { ++ if ($string == 0) { + echo "\n-> Query Time: $rt seconds + \r-> Source Count: $sipCount + \r-> Destination Count: $dipCount +@@ -130,30 +109,6 @@ function IP2C($string,$isCLI) { + + } + +-/* +- +-Commenting out the following function per +-https://github.com/int13h/squert/issues/76 +- +-function TheHTML($string) { +- +- echo "\r +- \r +- \r +- \r +- \r +- \r +- \r
+- \r
+- \r +- \r

+- \r +- \r
+- \r +- \r"; +-} +-*/ +- + if (isset($argc)) { + + if ($argc == 1 || $argc > 2 || $argv[1] > 1 || !is_numeric($argv[1])) { +@@ -164,21 +119,8 @@ if (isset($argc)) { + \r1 - Update. This is intended to be called via Cron\n\n"; + exit; + } else { +- IP2C($argv[1],'YES'); +- } +- +-} else { +- +- $html = ''; +- +- if(!isset($_REQUEST['qText'])) { $string = $_REQUEST['qp']; } else { $string = $_REQUEST['qText']; } +- +- if (@$_REQUEST['csync']) { +- $string = $_REQUEST['qText']; +- $html = IP2C($string,'NO'); ++ IP2C($argv[1]); + } + +- TheHTML($string); +- echo $html; + } + ?> diff --git a/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 b/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 new file mode 100644 index 0000000..ad3d535 --- /dev/null +++ b/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 @@ -0,0 +1,34 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion43) xenial; urgency=medium + . + * securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,5 +1,5 @@ + [mysqld] +-group_concat_max_len = 100000 ++group_concat_max_len = 1000000 + sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..dc1595c --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,41 @@ +add-securityonion-squert.cnf +add-config.php +update-path-in-clicat.tcl +disable-ip2c.php +fix-ip2c.php +add-hash-to-object_mappings-table +populate-empty-hash-fields +Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 +initialize-srcd,-dstd,-and-alld-in-callback.php +Squert:-error-when-removing-comment-#1066 +update-README.md +bump-version-to-1.6.4 +Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 +Squert:-comment-search-not-working-#1119 +fix-error-in-times-function +improve-input-validation-and-output-filtering +merge-and-adjust-comment +improve-calls-to-clicat +improve-postinst +move-auth-to-optsquert +set-version-to-1.7.0 +begin-transition-to-pdo-prepared-statements +improve-callback.php-and-grant-permission-to-autocat-table +allow-pivot-to-elsa-or-elastic +migrate-login.php-to-prepared-statements +add-row-for-Bro-agent +version-1.7.1 +update-mysql-calls-and-config +move-files-from-elastic-package +fix-auth +disable-mysql-strict-mode +frontend-expects-all-values-to-be-strings +iterate-over-all-arrays-when-converting-strings +fix-for-loop +update-mysql-function-calls-in-ip2c.php +remove-unnecessary-code-from-ip2c.php:wq +Issue-1169:-Squert:-remove-search-link-from-context-menu +Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts +Squert:-Priority-counts-incorrect-#1277 +securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 +Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 diff --git a/debian/patches/set-version-to-1.7.0 b/debian/patches/set-version-to-1.7.0 new file mode 100644 index 0000000..7a859f4 --- /dev/null +++ b/debian/patches/set-version-to-1.7.0 @@ -0,0 +1,47 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion22) trusty; urgency=medium + . + * set version to 1.7.0 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.7©2016 Paul Halliday
++
Version 1.7.0©2016 Paul Halliday
+ + + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -133,7 +133,7 @@ Password
+

+ + +-
Version 1.6.4©2016 Paul Halliday
++
Version 1.7.0©2016 Paul Halliday
+ + + diff --git a/debian/patches/update-README.md b/debian/patches/update-README.md new file mode 100644 index 0000000..1e2af74 --- /dev/null +++ b/debian/patches/update-README.md @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + . + * Squert: error when removing comment #1066 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/README.md ++++ securityonion-squert-20161212/README.md +@@ -4,6 +4,6 @@ + + SQueRT is a tool that is used to query event data. + +-NOTE: Squert was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). ++NOTE: SQueRT was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). + Thanks to Paul for all of his hard work over the years! + This is a fork of Paul's latest version that is maintained by the Security Onion team and includes modifications specific to Security Onion. diff --git a/debian/patches/update-mysql-calls-and-config b/debian/patches/update-mysql-calls-and-config new file mode 100644 index 0000000..87f8a4a --- /dev/null +++ b/debian/patches/update-mysql-calls-and-config @@ -0,0 +1,52 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion30) xenial; urgency=medium + . + * update mysql calls and config +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/functions.php ++++ securityonion-squert-20161212/.inc/functions.php +@@ -56,13 +56,13 @@ function retSD($x) { + function dbC() { + if (file_exists('.inc/config.php')) { + global $dbHost,$dbName,$dbUser,$dbPass; +- $link = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysqli_connect($dbHost,$dbUser,$dbPass); + + if (!$link) { + die('Connection failed: ' . mysql_error()); + } + +- $db = mysql_select_db($dbName,$link); ++ $db = mysqli_select_db($link,$dbName); + + if (!$db) { + die('Database selection failed: ' . mysql_error()); +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,5 +1,6 @@ + [mysqld] + group_concat_max_len = 100000 ++sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] + local-infile=1 diff --git a/debian/patches/update-mysql-function-calls-in-ip2c.php b/debian/patches/update-mysql-function-calls-in-ip2c.php new file mode 100644 index 0000000..f3730b7 --- /dev/null +++ b/debian/patches/update-mysql-function-calls-in-ip2c.php @@ -0,0 +1,113 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion38) xenial; urgency=medium + . + * update mysql function calls in ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -19,10 +19,13 @@ + // + // + +-function IP2C($string,$isCLI) { ++include_once "config.php"; ++include_once "functions.php"; ++ ++$db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); ++mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + +- include_once "config.php"; +- include_once "functions.php"; ++function IP2C($string,$isCLI) { + + if ($isCLI == 'NO') { + // Running from a browser +@@ -47,13 +50,14 @@ function IP2C($string,$isCLI) { + + function lookup($list) { + +- while ($row = mysql_fetch_row($list)) { ++ global $db; ++ while ($row = mysqli_fetch_row($list)) { + $ip = $row[0]; + $dot = long2ip((float)$ip); +- $ipLookup = mysql_query("SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE ++ $ipLookup = mysqli_query($db,"SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE + $ip >=start_ip AND $ip <= end_ip LIMIT 1"); + +- $result = mysql_fetch_array($ipLookup); ++ $result = mysqli_fetch_array($ipLookup); + + if ($result) { + $registry = $result[0]; +@@ -63,7 +67,7 @@ function IP2C($string,$isCLI) { + $date = $result[4]; + $status = $result[5]; + +- mysql_query("REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) ++ mysqli_query($db,"REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) + VALUES (\"$registry\",\"$cc\",\"$c_long\",\"$type\",\"$ip\",\"$date\",\"$status\")"); + echo "-- Mapped $dot ($ip) to $cc ($c_long)\n"; + } +@@ -72,32 +76,33 @@ function IP2C($string,$isCLI) { + } + + // DB Connect +- $db = mysql_connect($dbHost,$dbUser,$dbPass) or die(mysql_error()); +- mysql_select_db($dbName,$db) or die(mysql_error()); ++ global $dbHost, $dbUser, $dbPass, $dbName; ++ $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); ++ mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + + // Start timing + $st = microtime(true); +- $sipList = mysql_query("SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip ++ $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); +- $dipList = mysql_query("SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip ++ $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); + $sipCount = $dipCount = 0; + if ($sipList) { +- $sipCount = mysql_num_rows($sipList); ++ $sipCount = mysqli_num_rows($sipList); + if ($sipCount > 0) { + lookup($sipList); + } + } + + if ($dipList) { +- $dipCount = mysql_num_rows($dipList); ++ $dipCount = mysqli_num_rows($dipList); + if ($dipCount > 0) { + lookup($dipList); + } + } + +- $allRecs = mysql_query("SELECT COUNT(*) FROM mappings"); +- $allCount = mysql_fetch_row($allRecs); ++ $allRecs = mysqli_query($db,"SELECT COUNT(*) FROM mappings"); ++ $allCount = mysqli_fetch_row($allRecs); + + // Stop Timing + $et = microtime(true); diff --git a/debian/patches/update-path-in-clicat.tcl b/debian/patches/update-path-in-clicat.tcl new file mode 100644 index 0000000..ff59f41 --- /dev/null +++ b/debian/patches/update-path-in-clicat.tcl @@ -0,0 +1,33 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion3) trusty; urgency=medium + . + * update path in clicat.tcl +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/clicat.tcl ++++ securityonion-squert-20161212/.scripts/clicat.tcl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/tclsh ++#!/usr/bin/tclsh + + # clicat.tcl - Based on "quickscript.tcl" + # Portions Copyright (C) 2013 Paul Halliday diff --git a/debian/patches/version-1.7.1 b/debian/patches/version-1.7.1 new file mode 100644 index 0000000..9cb997a --- /dev/null +++ b/debian/patches/version-1.7.1 @@ -0,0 +1,47 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion28) trusty; urgency=medium + . + * version 1.7.1 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..47dd814 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,51 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + + a2enmod ssl || echo "Error enabling Apache ssl module." + a2dismod autoindex -f || echo "Error disabling Apache autoindex module." + a2dissite 000-default || echo "Error disabling Apache HTTP listener." + a2ensite securityonion || echo "Error enabling Apache securityonion site." + + FILE="/etc/apache2/ports.conf" + if [ ! -f $FILE ]; then + echo "$FILE not found." + else + if grep "Listen 80" $FILE>/dev/null; then + sed -i 's|^Listen 80$||g' $FILE || echo "Error updating $FILE." + fi + fi + + apache2ctl restart || echo "Error restarting Apache." + + if ! grep "/var/www/so/squert/.scripts/Ip2c/results.txt" /etc/apparmor.d/local/usr.sbin.mysqld >/dev/null; then + echo "/var/www/so/squert/.scripts/Ip2c/results.txt r," >> /etc/apparmor.d/local/usr.sbin.mysqld + service apparmor reload || echo "Error reloading apparmor." + fi + + [ -f /etc/mysql/conf.d/securityonion-squert.conf ] && rm -f /etc/mysql/conf.d/securityonion-squert.conf + + echo "Please wait while updating database..." + bash /var/www/so/squert/.scripts/securityonion_update.sh || echo "Error running SQL update. See /var/log/nsm/squert_update.log." + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + + + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..c89e098 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,48 @@ +#!/bin/sh + +set -e + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + +# cat << EOF >> /tmp/patch +#--- /etc/apache2/ports.conf 2012-07-18 16:50:49.292909610 -0400 +#+++ ports.conf 2012-07-26 16:12:21.936798311 -0400 +#@@ -5,9 +5,6 @@ +# # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# # README.Debian.gz +# +#-NameVirtualHost *:80 +#-Listen 80 +#- +# +# # If you add NameVirtualHost *:443 here, you will also have to change +# # the VirtualHost statement in /etc/apache2/sites-available/default-ssl +#EOF +# FILE="/etc/apache2/ports.conf" +# if [ -f $FILE ]; then +# if grep "Listen 80" $FILE>/dev/null; then +# echo "$FILE already contains Listen 80" +# else +# patch -R $FILE < /tmp/patch +# fi +# else +# echo "$FILE not found." +# fi +# +# rm -f /tmp/patch + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..79fd842 --- /dev/null +++ b/debian/rules @@ -0,0 +1,8 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/login.php b/login.php index 2a39eda..5a6b2bf 100644 --- a/login.php +++ b/login.php @@ -33,9 +33,13 @@ function cleanUp($string) { return $string; } -if ($_SERVER['REQUEST_METHOD'] == 'POST'){ - $username = $_REQUEST['username']; - $password = $_REQUEST['password']; +//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + //$username = $_REQUEST['username']; + //$password = $_REQUEST['password']; + // sso + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; + $ua = $_SERVER['HTTP_USER_AGENT']; $rqt = $_SERVER['REQUEST_TIME']; $rqaddr = $_SERVER['REMOTE_ADDR']; @@ -45,16 +49,29 @@ function cleanUp($string) { $ua .= mt_rand(0,$max); $cmpid = $rqt . $rqaddr . $ua; $id = md5($cmpid); - $db = mysql_connect($dbHost,$dbUser,$dbPass); - $link = mysql_select_db($dbName, $db); - if ($link) { - $user = cleanUp($username); - $query = "SELECT * FROM user_info WHERE username = '$user'"; - $result = mysql_query($query); - $numRows = mysql_num_rows($result); + // PDO prepared statements + try { + // first connect to database with the PDO object. + $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, + PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); + } catch(PDOException $e){ + // if connection fails, log PDO error. + error_log("Error connecting to mysql: ". $e->getMessage()); + } - if ($numRows > 0) { - while ($row = mysql_fetch_row($result)) { + if (isset($dbpdo)) { + // prepare statement + $statement = "SELECT * FROM user_info WHERE username = :user"; + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":user" => "$username"]; + // execute the prepared statement and pass it params + $query->execute($params); + // fetch the data + while ($row = $query->fetch(PDO::FETCH_NUM)) { $userName = $row[1]; $lastLogin = $row[2]; $userHash = $row[3]; @@ -62,7 +79,10 @@ function cleanUp($string) { $userType = $row[5]; $userTime = $row[6]; $tzoffset = $row[7]; - } + } + + // if $username was found in database, then check password + if ( isset($userName) && strtolower($username) == strtolower($userName) ) { // The first 2 chars are the salt $theSalt = substr($userHash, 0,2); @@ -104,7 +124,7 @@ function cleanUp($string) { } else { $err = 'Connection Failed'; } -} +//} ?> @@ -130,7 +150,7 @@ function cleanUp($string) {

-
Version 1.6.0©2015 Paul Halliday
+
Version 1.8.2©2016 Paul Halliday